{ "id": "999b6da1-9b63-41f7-9c9c-155b3d3e656c", "created_at": "2026-04-06T00:18:48.821761Z", "updated_at": "2026-04-10T03:37:21.554634Z", "deleted_at": null, "sha1_hash": "8672bf2aa7adfbc2bf776aedadeb13b31b406932", "title": "Lessons from Exchange Exploitation for Defenders", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 182634, "plain_text": "Lessons from Exchange Exploitation for Defenders\r\nBy Joe Slowik\r\nArchived: 2026-04-05 15:36:49 UTC\r\nExamining Exchange Exploitation and its Lessons for Defenders\r\nBackground\r\nOn 02 March 2021, Microsoft released out-of-band updates for Microsoft Exchange to cover four actively-exploited vulnerabilities:\r\nCVE-2021-26855: a pre-authentication Server-Side Request Forgery (SSRF) vulnerability enabling access\r\nto a vulnerable Exchange server. This specific vulnerability, identified by researchers at DEVCORE, is also\r\nreferred to as ProxyLogon.\r\nCVE-2021-26857: a privilege escalation vulnerability allowing an attacker with code execution to run\r\ncommands as SYSTEM.\r\nCVE-2021-26858: a post-authentication arbitrary file write vulnerability in Exchange allowing an attacker\r\nto write contents to any accessible part of the victim system.\r\nCVE-2021-27065: another post-authentication arbitrary file write vulnerability.\r\nUsed together, these vulnerabilities allow for remote access to an exposed Microsoft Exchange instance, follow-on\r\ncode execution at privileged levels, and the ability to establish persistence on the victim system. DEVCORE\r\nresearch started in October 2020, with acknowledgement from Microsoft that the SSRF vulnerability ProxyLogon\r\nexisted on 06 January 2021.\r\nhttps://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders\r\nPage 1 of 8\n\nIn coordination with Microsoft’s release, information security company Volexity released its own report covering\r\nintrusion activity utilizing this exploitation chain, referred to as Operation Exchange Marauder, since 03 January\r\n2021—interestingly, a few days prior to Microsoft’s acknowledgment of the vulnerability . Independently of\r\nMicrosoft and Volexity, FireEye also released reporting on overlapping exploitation activity taking place since\r\nJanuary 2021, although no precise date was provided in their post.\r\nFollowing disclosure on 02 March 2021, multiple parties reported odd activity prior to release and substantial\r\nincreases in Exchange targeting shortly thereafter. Most notably, several entities reported widespread scanning of\r\nMicrosoft Exchange servers just prior to Microsoft’s vulnerability disclosure, from 27 to 28 February 2021.\r\nFurthermore, multiple sources revealed that, while public reporting indicated initial exploitation in tracked\r\ncampaigns started in January 2021, such activity may extend as far back as November 2020. Given that public\r\ntimelines from DEVCORE indicated research and analysis only began in October 2020 with vulnerability\r\ndiscovery in December 2020, the possibility of public exploitation in late 2020 raises a number of questions—\r\nsadly none of which can be answered with current evidence.\r\nIrrespective of when public exploitation of CVE-2021-26855 started, based on the spike in scanning activity\r\nidentified just prior to Microsoft’s announcement and subsequent activity, operations appear to have increased\r\nrapidly after disclosure. Within days of Microsoft’s announcement and corresponding blogs from DEVCORE,\r\nVolexity, and others, various public Proof of Concepts (POCs) appeared from independent researchers and\r\nsecurity firms starting 09 March 2021. If not already the case previously, exploitation of CVE-2021-26855 and\r\nrelated vulnerabilities in the exploit chain took off such that multiple entities—from opportunistic state-sponsored\r\norganizations through likely criminal elements—are actively looking for and taking advantage of these security\r\nissues.\r\nWebshell Payloads\r\nhttps://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders\r\nPage 2 of 8\n\nRegardless of how or when malicious actors learned of these vulnerabilities in Microsoft Exchange and began\r\nusing them, through at least 09 March 2021 adversary actions remained relatively static: either leverage process\r\nexecution to gather system information and dump credentials and other items for memory; or utilize the\r\nexploitation chain to install a webshell on victim Exchange instances. The former utilized a number of common,\r\npublicly-available (and even legitimate) tools such as ProcDump, Covenant, and Nishang. The latter, while\r\nopening up possibilities for a number of actions for webshell installation and function, stands out as the majority\r\nof observed instances across multiple vendors reflect a long-lived, well-known, essentially publicly-available\r\nframework: China Chopper.\r\nThe China Chopper webshell framework first appeared no later than 2010. Since China Chopper’s discovery,\r\nresearchers linked the tool to operations from a variety of entities, ranging from state-sponsored espionage\r\ncampaigns through cyber criminal elements. Although historical China Chopper use is associated with threats\r\nphysically located in China, subsequent disclosures and widespread availability mean, as noted by researchers at\r\nCisco Talos, that:\r\n“This web shell is widely available, so almost any threat actor can use [it]. This also means it’s nearly impossible\r\nto attribute attacks to a particular group using only [the] presence of China Chopper as an indicator.”\r\nWhile initial access vectors to victims included the exploitation of four zero day vulnerabilities until disclosure on\r\n02 March 2021, this activity concluded with deployment of a commodity, widely known webshell capability. We\r\ntherefore observe a significant disconnect between intrusion methodologies (technically complex and non-public)\r\nand follow-on actions on objective (use of widely known, commodity tools). Although adversaries are ultimately\r\njudged on how successful their operations are, and this particular campaign appears to be very successful, as\r\nopposed to their technical complexity, this divergence between access and entrenchment capabilities is\r\nnonetheless curious.\r\nMore significantly still, as pointed out by various researchers examining intrusion data, China Chopper\r\ndeployments linked to Exchange exploitation are not uniform. Such observations strongly indicate that more than\r\none adversary—likely operating independently of each other—is associated with Exchange exploitation\r\noperations.\r\nA Note on Attribution\r\nInitial reporting from Microsoft noted that HAFNIUM is “state-sponsored and operating out of China, based on\r\nobserved victimology, tactics and procedures.” While the statement notes operations out of China and that the\r\nentity is assessed to be “state-sponsored,” the sentence as constructed does not explicitly make the claim that\r\nHAFNIUM is a Chinese state-directed operation. Yet despite the very careful wording in Microsoft’s blog,\r\nmultiple media reports quickly made the direct link to China. While such a link is certainly possible and has not\r\nbeen ruled out, as of this writing no conclusive evidence has emerged linking HAFNIUM operations to the\r\nPeople’s Republic of China (PRC).\r\nYet HAFNIUM is far from the only entity assessed to be targeting this vulnerability. Independent reporting from\r\nFireEye indicates at least three clusters—referred to as UNC2639, UNC2640, and UNC2643—actively targeting\r\nat least CVE-2021-26855 if not the complete exploitation chain since January 2021, without specifying links to\r\nhttps://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders\r\nPage 3 of 8\n\nany known threat actors or state interest. However, subsequent public comments from Kevin Mandia, CEO of\r\nFireEye, to the Associated Press indicated “two groups of Chinese state-backed hackers…installed backdoors\r\nknown as ‘web shells’ on an as-yet undetermined number of systems.” As of this writing, DomainTools is not\r\naware if this is a revision to FireEye’s earlier technical reporting.\r\nIn addition to FireEye, multiple security firms identified multiple actors exploiting these vulnerabilities. Security\r\ncompany Red Canary noted two distinct clusters separate from HAFNIUM behaviors, including one labeled\r\nSapphire Pigeon active since 05 March 2021, along with other activity that could not be clustered based on limited\r\nevidence. Antivirus vendor ESET noted an astounding 10 separate groups targeting the Exchange vulnerabilities in\r\ntheir telemetry, including nine cases overlapping with existing threat groups and one cryptocurrency mining\r\ncampaign.\r\nWhile none of the reports beyond Microsoft and public comments from FireEye leadership link identified activity\r\nto China, it is worth noting that several of the groups identified in ESET’s analysis have previously been linked to\r\nPRC-sponsored activity. This includes:\r\nTick, also referred to as BRONZE BUTLER.\r\nLuckyMouse, also referred to as Emissary Panda or APT27.\r\nCalypso, which is assessed to have PRC-origins in some analysis.\r\nThe “Winnti Group,” although this is a wide-ranging classifier that may encompass many distinct entities.\r\nTonto Team, also referred to as Karma Panda and CactusPete.\r\nMikroceen APT Group, also referred to as Vicious Panda, is assessed to have PRC-origins in some\r\nanalysis.\r\nWhile this reporting indicates that PRC-related entities are tied to Exchange exploitation activity, ESET’s analysis\r\nand telemetry shows that such activity started on 28 February 2021 at the earliest, with most entities commencing\r\nexploitation following Microsoft’s public release. Given these observations, while PRC-linked entities appear to\r\nbe targeting the set of vulnerabilities since disclosure, it remains unclear with any degree of certainty what entities\r\nwere doing so prior to late February 2021.\r\nUltimately, evidence at this time only supports the following conclusions:\r\nCVE-2021-26855 was under active exploitation since January 2021 by multiple groups, with the possibility\r\nof some exploitation activity prior to this time.\r\nSince 27 February 2021 and especially following public disclosure by Microsoft on 02 March 2021,\r\nmultiple additional entities have opportunistically leveraged these vulnerabilities as part of multiple,\r\nindependent campaigns.\r\nWhile a number of entities linked to the Exchange exploitation activity have previously been linked to\r\nPRC-directed or -sponsored operations, multiple additional entities are also involved.\r\nPrecise identification and origin of the initial groups targeting these vulnerabilities, including HAFNIUM\r\nand the FireEye UNC clusters, remains unavailable as of this writing.\r\nNetwork Detection Possibilities\r\nhttps://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders\r\nPage 4 of 8\n\nThe best advice to mitigate the vulnerabilities disclosed by Microsoft is to apply the relevant patches. However,\r\ngiven the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and\r\nremediation activities to counter existing intrusions. Red Canary and Microsoft provided excellent guidance for\r\nhost-based detection, analysis, and recovery. The remainder of this article focuses on network-specific avenues\r\navailable to defenders.\r\nAs of this writing, nearly all instances of identified adversary post-exploitation activity relate to webshell\r\ndeployment. One potentially easy mitigation strategy prior to patching would be to eliminate direct access to\r\nExchange from the internet over HTTPS, a necessary condition for remote exploitation. While this would limit\r\naccessibility to services such as Outlook Web Access (OWA), such services can be provided via a Virtual Private\r\nNetwork (VPN) or similar portal to reduce attack surface.\r\nWhile strongly recommended, defenders must also appreciate that this is a threat reduction step and not an\r\nelimination. Given the desirability of Exchange as both a source of intelligence collection itself and as an effective\r\nway to pivot throughout a victim network, defenders should anticipate savvy attackers attempting to exploit on-premise, vulnerable Exchange deployments post-intrusion where possible as well. Therefore, patching is\r\nultimately necessary to eliminate this intrusion operation, while webshell monitoring and defense is recommended\r\nto both counter this event as well as future security concerns.\r\nWebshells are a difficult security problem to resolve as they take advantage of the inherent nature of the servers on\r\nwhich they are installed to listen for and accept remote traffic via HTTP or HTTPS. For services that must remain\r\naccessible, simply blocking these services and related connectivity is not an option. Yet defenders retain several\r\npossible avenues to detect this activity through Network Security Monitoring (NSM) and similar practices.\r\nFor externally accessible servers with known specific functionality (such as Exchange OWA), NSM looking for\r\nodd, unusual, or simply new Uniform Resource Identifiers (URIs) can alert defenders to a potential webshell. In\r\nthis case, a server that should only be accepting traffic to a few narrowly-defined resources (such as the URI to\r\nreach an accessible OWA resource), can be monitored for new, unusual URIs in network traffic. Identifying\r\nsuccessful communication to a different URI at minimum reveals a misconfiguration or potentially insecure\r\nservice, and at worst can identify functionality put into place by an attacker.\r\nAnother NSM possibility focuses on follow-on lateral movement or expansion from initial access on an Exchange\r\n(or other) server. Typical server functionality would indicate receiving and responding to significant traffic, but\r\nnot normally initiating connections to clients within the network. Provided an intruder desires to move beyond\r\ntheir initial point of access, they will need to transition to other hosts. Identifying anomalous traffic flows from\r\nservers can indicate a potentially compromised host and an intruder attempting to move deeper into the victim\r\nnetwork.\r\nFinally, rapid enrichment and analysis of source traffic to servers may be able to identify suspicious or anomalous\r\nconnections. While not especially useful for services designed for general public access (such as a web server),\r\nthis approach may work reasonably well with more circumscribed items such as mail services. Depending on\r\nscope and geographic reach, organizations can identify typical source Autonomous System Numbers (ASNs) or\r\nInternet Service Providers (ISPs) for legitimate connectivity. Using this list as a baseline, defenders can then\r\nhttps://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders\r\nPage 5 of 8\n\nmonitor for connections from new or unique ASNs, ISPs, or hosting providers. For example, in the case of the\r\nExchange exploitation activity, multiple vendors reported use of Virtual Private Servers (VPSs) from providers\r\nsuch as DigitalOcean (see Appendix). Identifying traffic to an Exchange server or similar service from a VPS node\r\nwould likely be anomalous compared to traffic from typical, legitimate user activity.\r\nOverall, a combination of visibility and information enrichment can be applied to gain greater insight into network\r\ntraffic and external connectivity, while potentially revealing malicious behaviors such as webshell installation or\r\ncommunication. Defenders are cautioned that none of the above approaches are universal in scope or applicability,\r\nand would require a combination of testing, baselining, and similar evaluation to avoid implementing detection or\r\nalerting logic which may lead to significant false positives.\r\nConclusion\r\nThe rapid expansion in Microsoft Exchange exploitation is extremely concerning for a variety of organizations\r\nusing this software. Starting with narrowly tailored targeting in January 2021 (and possibly earlier), activity\r\nexploded from late February onward as an increasing number of threats learned about and either developed or\r\ngained access to exploit code. Based on this rapid expansion in activity, threat attribution and similar evaluation\r\nwill be difficult if not impossible, especially as public POCs become available for widespread use.\r\nWhile concerning, defenders are not completely without recourse in this situation. A combination of timely\r\npatching, attack surface reduction, and active threat hunting within environments can be applied to reduce the\r\nlikelihood of intrusion and identify potential breaches that have already taken place. Although certainly not easy,\r\ngiven the scale and rapid expansion of Exchange exploitation, organizations running such software are strongly\r\nencouraged to enter into response and recovery mode now as an increasingly diverse set of threats are quickly\r\nsubverting any accessible system.\r\nAppendix: Infrastructure Linked to Exploitation Activity\r\nIP ISP Location Function Source Actor\r\n103.77.192[.]219\r\nMultibyte Info\r\nTechnology Limited\r\nHK Exploit Source Volexity HAFNIUM\r\n104.140.114[.]110 Eonix US Exploit Source Volexity HAFNIUM\r\n104.248.49[.]97 DigitalOcean US Exploit Source Various N/A\r\n104.250.191[.]110 PERFORMIVE US Exploit Source Volexity HAFNIUM\r\n108.61.246[.]56 Choopa JP Exploit Source Volexity HAFNIUM\r\n112.66.255[.]71 Chinanet CN Exploit Source Various N/A\r\n139.59.56[.]239 DigitalOcean IN Exploit Source Various N/A\r\n149.28.14[.]163 Choopa US Exploit Source Volexity HAFNIUM\r\nhttps://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders\r\nPage 6 of 8\n\nIP ISP Location Function Source Actor\r\n157.230.221[.]198 DigitalOcean US Exploit Source Volexity HAFNIUM\r\n161.35.1[.]207 DigitalOcean US Exploit Source Various N/A\r\n161.35.1[.]225 DigitalOcean US Exploit Source Various N/A\r\n161.35.45[.]41 DigitalOcean GB\r\nExploit Source,\r\nScanning\r\nSwiss CERT,\r\nRapid7\r\nN/A\r\n161.35.51[.]41 DigitalOcean US Exploit Source Various N/A\r\n161.35.76[.]1 DigitalOcean DE Exploit Source Various N/A\r\n165.232.154[.]116 DigitalOcean US\r\nExploit\r\nScanning\r\nFireEye,\r\nRapid7\r\nUNC2639\r\n167.99.168[.]251 DigitalOcean US Exploit Source Volexity HAFNIUM\r\n167.99.239[.]29 DigitalOcean US Exploit Source Various N/A\r\n182.18.152[.]105 CtrlS Datacenters Ltd IN Unknown FireEye UNC2639\r\n185.250.151[.]72 Innovation IT US Exploit Source Volexity HAFNIUM\r\n188.166.162[.]201 DigitalOcean DE Exploit Source Various N/A\r\n192.81.208[.]169 DigitalOcean US Exploit Source Volexity HAFNIUM\r\n194.87.69[.]35 LLC Baxet RU Webshell C2 Rapid7 N/A\r\n203.160.69[.]66 China Unicom HK Exploit Source Volexity HAFNIUM\r\n211.56.98[.]146 Korea Telecom KR Exploit Source Volexity HAFNIUM\r\n45.77.252[.]175 Choopa SG Exploit Source Various N/A\r\n5.2.69[.]14\r\nThe Infrastructure\r\nGroup\r\nNL Exploit Source Various N/A\r\n5.254.43[.]18 Voxility US Exploit Source Volexity HAFNIUM\r\n77.61.36[.]169 KPN NL Exploit Source Various N/A\r\n80.92.205[.]81 Innovation IT US Exploit Source Volexity HAFNIUM\r\n86.105.18[.]116 WorldStream NL Unknown FireEye UNC2643\r\n89.34.111[.]11 23Media DE Unknown FireEye UNC2643\r\n91.192.103[.]43 Datasource CH Exploit Source Various N/A\r\nhttps://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders\r\nPage 7 of 8\n\nSource: https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders\r\nhttps://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders" ], "report_names": [ "examining-exchange-exploitation-and-its-lessons-for-defenders" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6", "created_at": "2022-10-25T16:07:23.869951Z", "updated_at": "2026-04-10T02:00:04.766204Z", "deleted_at": null, "main_name": "Mikroceen", "aliases": [ "SixLittleMonkeys" ], "source_name": "ETDA:Mikroceen", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Ghost RAT", "Microcin", "Mikroceen", "Mimikatz", "Moudour", "Mydoor", "PCRat", "logon.dll", "logsupport.dll", "pcaudit.bat", "sqllauncher.dll" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8672bf2aa7adfbc2bf776aedadeb13b31b406932.pdf", "text": "https://archive.orkl.eu/8672bf2aa7adfbc2bf776aedadeb13b31b406932.txt", "img": "https://archive.orkl.eu/8672bf2aa7adfbc2bf776aedadeb13b31b406932.jpg" } }