{ "id": "a5d6dbee-75a4-4b3a-9e5a-bdf72023ca2d", "created_at": "2026-04-06T00:06:46.804226Z", "updated_at": "2026-04-10T13:12:45.057261Z", "deleted_at": null, "sha1_hash": "8688aec5114fb87cf951ffe8ddd82540c30f6cae", "title": "The Dropping Elephant - aggressive cyber-espionage in the Asian region", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 399594, "plain_text": "The Dropping Elephant - aggressive cyber-espionage in the Asian\r\nregion\r\nBy GReAT\r\nPublished: 2016-07-08 · Archived: 2026-04-05 18:04:53 UTC\r\nDropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting\r\na variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all\r\ninvolved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering\r\nhole attacks.\r\nOverall, the activities of this actor show that low investment and ready-made offensive toolsets can be very\r\neffective when combined with high quality social engineering. We have seen more such open source toolset\r\ndependency with meterpreter and BeEF, and expect to see this trend continue.\r\nThe Attack Method: Infection Vector\r\nDropping Elephant uses two main infection vectors that share a common, and fairly elaborately maintained, social\r\nengineering theme – foreign relations with China.\r\nThe first approach involves spear-phishing targets using a document with remote content. As soon as the user\r\nopens the document, a “ping” request is sent to the attackers’ server. At this point, the attackers know the user has\r\nopened the document and send another spear-phishing email, this time containing an MS Word document with an\r\nembedded executable. The Word document usually exploits CVE-2012-0158. Sometimes the attackers send an\r\nMS PowerPoint document instead, which exploits CVE-2014-6352.\r\nOnce the payload is executed, an UPX packed AutoIT executable is dropped. Upon execution, this downloads\r\nadditional components from the attackers’ servers. Then the stealing of documents and data begins.\r\nThe second approach involves capturing victims through watering hole attacks. The actor created a website that\r\ndownloads genuine news articles from other websites. If a website visitor wants to view the whole article they\r\nwould need to download a PowerPoint document. This reveals the rest of the article, but also asks the visitor to\r\ndownload a malicious artifact.\r\nThe two main infection vectors are supported by other approaches. Sometimes, the attackers email out links to\r\ntheir watering hole websites. They also maintain Google+, Facebook and twitter accounts to develop relevant SEO\r\nand to reach out to wider targets. Occasionally, these links get retweeted, indiscriminately bringing more potential\r\nvictims to their watering holes.\r\n1. Malware Analysis\r\nhttps://securelist.com/the-dropping-elephant-actor/75328/\r\nPage 1 of 8\n\nThe backdoor is usually UPX packed but still quite large in size. The reason for this is that most of the file\r\ncomprises meaningless overlay data, since the file is an automatically generated AutoIT executable with an\r\nAutoIT3 script embedded inside. Once started, it downloads additional malware from the C2 and also uploads\r\nsome basic system information, stealing, among other things, the user’s Google Chrome credentials. The backdoor\r\nalso pings the C2 server at regular intervals. A good security analyst can spot this while analyzing firewall log\r\nfiles and thereby find out that something suspicious might be going on in the network.\r\nGenerally speaking, backdoors download additional malware in the form of encrypted or packed\r\nexecutables/libraries. But, in the case of Dropping Elephant, the backdoor downloads encoded blobs that are then\r\ndecoded to powershell command line “scripts”. These scripts are run and, in turn download the additional\r\nmalware.\r\nOne of the more interesting malware samples downloaded is the file-stealer module. When this file-stealer is\r\nexecuted, it makes another callback to the C2 server, downloading and executing yet another malware sample. It\r\nrepeatedly attempts to iterate through directories and to collect files with the following extensions: doc, docx, ppt,\r\npptx, pps, ppsx, xls, xlsx, and pdf. These files are then uploaded to the C2 server.\r\nAlso interesting are the resilient communications used by this group. Much like the known actors Miniduke or\r\nCommentCrew, it hides base64 encoded and encrypted control server locations in comments on legitimate web\r\nsites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true\r\nC2 for the backdoor, instead of initial commands.\r\n2. C2 Analysis\r\nIn many cases it was very difficult to get a good overview of the campaign and to find out how successful it is. By\r\ncombining KSN data with partner-provided C2 server data, we were able to obtain a much fuller picture of the\r\nincident.\r\nWe examined connections and attack logins to this particular C2. As it turned out, the attackers often logged in via\r\na VPN, but sometimes via IPs belonging to an ordinary ISP in India. We then looked at the time the attackers were\r\nactive, of which you can find an image below.\r\nhttps://securelist.com/the-dropping-elephant-actor/75328/\r\nPage 2 of 8\n\nVictim Profile and Geography\r\nWe also wanted to get a better idea of the geolocation of most visitors. Analysis of the image provided access\r\ncounts and times, along with the IP of the visiting system.\r\nNoteworthy are the many IPs located in China. This focus on China-related foreign relations was apparent from\r\nthe ongoing social engineering themes that were constant throughout the attacks. The concentration of visits from\r\nCN (People’s Republic of China) could be for a variety of reasons – diplomatic staff are visiting these sites from\r\ntheir CN offices, CN academics and analysts are very interested in researching what they believe to be CN-focused think tanks, or some of the IPs are unknown and not self-identifying as bots or scrapers. Regardless,\r\nbecause we were able to determine that multiple targets are diplomatic and governmental entities, these foreign\r\nrelations efforts are likely to represent the main interest of the attackers.\r\nConclusion\r\nCampaigns do not always need to be technically advanced to be successful. In this case, a small group reusing\r\nexploit code, some powershell-based malware and mostly social engineering has been able to steal sensitive\r\ndocuments and data from victims since at least November 2015.\r\nOur analysis of the C2 server confirmed the high profile of most victims, mainly based in the Asian region and\r\nspecially focused on Chinese interests. Actually, some hints suggest the group has been successful enough to have\r\nrecently expanded its operations, perhaps after proving its effectiveness and the value of the data stolen.\r\nThis is quite worrying, especially given the fact that no 0 days or advanced techniques were used against such\r\nhigh profile targets. Simply applying software patches will prevent attacks based on old exploits, as well as\r\ntraining in the most basic social engineering attacks.\r\nHowever, it should be noted that in this case Microsoft´s patch for exploit CVE-2014-1761 just warns the user not\r\nto allow the execution of the suspicious file.\r\nhttps://securelist.com/the-dropping-elephant-actor/75328/\r\nPage 3 of 8\n\nDropping Elephant artifacts are detected by Kaspersky Lab products as:\r\nExploit.Win32.CVE-2012-0158.*\r\nExploit.MSWord.CVE-2014-1761.*\r\nTrojan-Downloader.Win32.Genome.*\r\nHEUR:Trojan.Win32.Generic\r\nAs usual Kaspersky Lab actively collaborates with CERTs and LEAs to notify victims and help to mitigate the\r\nthreat. If you need more information about this actor, please contact intelreports@kaspersky.com\r\nMore information on how Kaspersky Lab technologies protect against such cyberespionage attacks is available on\r\nKaspersky Business blog.\r\nIndicators of Compromise\r\nBackdoors\r\neddb8990632b7967d6e98e4dc1bb8c2f\r\n1ec225204857d2eee62c78ee7b69fd9d\r\nd3d3a5de76df7c6786ed9c2850bd8405\r\n05c5cc0e66ad848ec540fcd3af5853b1\r\n0839b3f0a4b28111efc94942436041cb\r\n0cf4acddfaa77bc66c44a687778f8695\r\n233a71ea802af564dd1ab38e62236633\r\n39538c8845bd0b4a96c4b8bc1e5d7ea3\r\n54c49a6768e5f8551d0918e63b200775\r\n7a662144f9d6bada8aea09b579e15562\r\naa755fc3521954b10fd65c07b423fc56\r\nd8102a24ca00ef3db7d942912765441e\r\ne231583412573ecabfd05c4c0642a8b9\r\neddb8990632b7967d6e98e4dc1bb8c2f\r\nfb52fbd9b3b465453276f42c46350c25\r\nExploit documents\r\nd69348794e85ddea6a5f68b85f9bf47b 10_gay_celebs.doc\r\n9f9824e9a4d7d3073aebbcc781869660 1111_v1.doc\r\nd1c864ae8770ae43a0e59a31c0788dc2 13_Five_Year_Plan_2016-20-1.pps\r\n9a0534772ac23ff64e3c85b18fbec596 2015nianshijiexiaoxuanshou.doc\r\na46d44e227b49d2075730610cfec0b2e 7GeopoliticalConsequencetoAnticipateinAsiainEarly2016_1.doc\r\n79afb3f44172447015578b8064c1dda0 7GeopoliticalConsequencetoAnticipateinAsiainEarly2016_2.doc\r\n6abf60e9e2f6e3fa4c8020e1b2ef2867 ABiggerBolderChinain2016_1.doc\r\n89963d5aac8441b0febbe5d5a0ab7629 ABiggerBolderChinain2016_2.doc\r\nd79e1d6302aabbdf083ba89a7c2f34fc aeropower.pps\r\n90af176bfdf248d2899b49316458e4b6 australia_fonops_1.pps\r\nhttps://securelist.com/the-dropping-elephant-actor/75328/\r\nPage 4 of 8\n\n24c722f3d0770ede82fa3d6b550098b3 australia_fonops_2.pps\r\n08a116efce7d947257ce94fc8f3e276e aviation_1.pps\r\n0ae8f01b9ba0394f5e68536574076aa1 aviation_2.pps\r\n0d1bdb45bac3b09e28e4f0cb09c97194 beauty3.pps\r\nd807fb3cb1a0687e152d288171ab9b59 beauty6.pps\r\nf017c65c7b5d14df11c5e0e4f0406562 CHINA_FEAR_US_3.pps\r\n3cd8e3e80a106b0590a7b5eedddf4715 CHINA_FEAR_US_6.pps\r\na1940b31af27139a13dff852cb012a22 ChinainSyria.doc\r\ne7ba5c209635607b2b0e38a00a822953 chinamilstrat1.doc\r\nd273f090b96eca7c93387a03d9527d9b chinamilstrat2.doc\r\n17d5acf49a4d65a4aacc362576dbaa12 chinamilstrength.pps\r\n3c68ca564595e108920a0f105728fded China_Response_NKorea_Nuclear_Test1.pps\r\n8c21aee21b6bfa12ecf6070a4532655a China_Response_NKorea_Nuclear_Test2.pps\r\n533ce967d09189d27f38fe6ed4711099 chinascyberarmy2015_1.pps\r\n9c9e5d09699821c53d68e957044ec6e8 chinascyberarmy2015_2.pps\r\nc4f5d6ed36c3d51cb1b31f20922ce880 ChinasMilitaryIntelligenceSystemisChanging_1.doc\r\n1fb7eece41b964517d5224b57073c5d4 ChinasMilitaryIntelligenceSystemisChanging_2.doc\r\n1e620679c90563d46aa349e991d2e0f2\r\nCHINA’S_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA_1.doc\r\na0177d2fd49d835244028e98449c77a5\r\nCHINA’S_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA_1.pps\r\n1e620679c90563d46aa349e991d2e0f2\r\nCHINA’S_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA_2.doc\r\n70c5267c56ded521c6f674a6a6649f05\r\nCHINA’S_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA_2.pps\r\na1940b31af27139a13dff852cb012a22 ChinatoReceive_S-400_Missiles.doc\r\n77ff734bc92e853b92595ddf999ee1ec China_two_child_policy_will_underwhelm1.doc\r\n8c875542def907312fd92d10746c230c China_two_child_policy_will_underwhelm1.pps\r\ne98b1ed80ba3a3b6b0809f04536e9753 ChinaUS_1.pps\r\n36581da1d10ba6382a63e7046c21dd8d ChinaUS_2.pps\r\n9a7e499d7abfcbe7fb2a78cf1d7a2f10 chinesemilstrat_1.pps\r\n40ace1c9394c95d7e9e1e80f24bd1a73 chinesemilstrat_2.pps\r\n71d59036f84aba8e60aa8785e3883372 cppcc_1.pps\r\n04aff7c333055188219e290e58313d78 cppcc_2.pps\r\ndffe28c9c4dc9e2e865e3237f4bc38c4 Dev_Kumar_Sunuwar.doc\r\nae27773e49fea122e3f8ce7a27e6c555 election.pps\r\n86edf4fab125d8ccba85138f43b24def enggmarvels_1.pps\r\na8022594e81c74b22abca772eb89657c enggmarvels_2.pps\r\nbc08d1bddf72369adceffbfc36f848df fengnew33.pps\r\n2c70e1f152e2cb42bb29aadb66ece2ec fengnew36.pps\r\n3a2be243b0c78e8689b34e2415d5e479 fengnew63.pps\r\n2158cb891a8ecbaaa70a641a6529b787 fengnew66.pps\r\nhttps://securelist.com/the-dropping-elephant-actor/75328/\r\nPage 5 of 8\n\na1940b31af27139a13dff852cb012a22 final.doc\r\na1940b31af27139a13dff852cb012a22 FinancialCrisisChina.doc\r\n884f76542f3972f473376c943daeaf8f futuredrones_1.pps\r\n098c74c23ed73ac7bf7581fec2eb088d futuredrones_2.pps\r\n915e5eefd145c59677a2a9eded97d114 gaokaonewreforms_1.doc\r\n57377233f2a946d150115ad23bbaf5e6 gaokaonewschedule_1.pps\r\n1c5b468489cf927c1d969484ddbdd8ea gaokaonewschedule_2.pps\r\nfa2f8ec0ab22f0461e860394c6b06a68 harbin_1.pps\r\n9a0534772ac23ff64e3c85b18fbec596 Heart_Valve_Replacement.doc\r\n4ea4142bab2b90e5779df19616f7d8ca Implication_China_mil_reforms_1.doc\r\n8a350d3f6fb359377d8939e1a2e033f3 Implication_China_mil_reforms_1.pps\r\nf5e121671384fbd43534b8515c9e6940 ISIS_Bet_Part1.doc\r\n3a83e09f1b751dc08f4b719ed51c3fbc ISIS_Bet_Part2.doc\r\n8a1a10dcc6e2ac6b40a86d6ed20cf1bd japan_pivot_1.pps\r\n72c05100da6b6bcbf3f96fee5cf67c3f japan_pivot_2.pps\r\nebe8efbad7f01b76465afaf474589c2f jtopcentrecomn.pps\r\n165ae88945852a37fca8ec5224e35188 korea1.pps\r\n38e71afcdd6236ac3ad24bda393a81c6 militarizationofsouthchinasea_1.pps\r\n61f812a1924e6d5b4307313e20cd09d1 militarizationofsouthchinasea_2.pps\r\n4595dbaeec06e3f9b466d618b4da767e MilitaryReforms1.pps\r\n1de10c5bc704d3eaf4f0cfa5ddd63f2d MilitaryReforms2.pps\r\nce1426ffe9ad4439795d269ddcf57c87 MilReform_1.doc\r\n1e620679c90563d46aa349e991d2e0f2 MilReform_2.doc\r\n8d2f4e691f2e318f7162a3a5d397b29c MilReforms_1.pps\r\n631d44688303be28a1b825aa1c9f3202 MilReforms_2.pps\r\nfe78c037844ad08a9a79c85f46e68a67 my_lovely_pics_3.pps\r\nd5a976cc714651711c8f067dd5e00709 my_lovely_pics_6.pps\r\n657e9333a052f593b7c51c58917a1b1f my_photos_3.pps\r\ne08bbed0aa4b21ae921d4dc5350789c7 my_photos_6.pps\r\n141a8b306af8087df4feee15f571eb59 nail_art_3.pps\r\n122d7dff33174e532063a16ae526208d nail_art_6.pps\r\nd049a6f9e527a72a4b917eec1acbd6f9 netflix1.doc\r\n09a478efd8c5aeef3a5395e3988f5059 netflix1.pps\r\nd791f8d9495d5d5df0cedb8b27fb3b49 netflix2.doc\r\ne7b4511cba3bba6983c43c9f9014a49d netflix2.pps\r\nd01be8c3c027f9d6f0d93542dfe7ca97 nianshijiexiaoxuanshou2015.doc\r\n040712ba00b32cc19e1938e14e732f59 North_Korea_Nuclear_Test_1.doc\r\n3b0ca7dafb94333234e4f1330a1699da North_Korea_Nuclear_Test_2.doc\r\n1e620679c90563d46aa349e991d2e0f2 Obama_Gift_China_1.doc\r\n6f327b93279f3ce39f4fbe7a610c3cd2 Obama_Gift_China_1.pps\r\n1e620679c90563d46aa349e991d2e0f2 Obama_Gift_China_2.doc\r\n58179b5cf455e2bcac396c697cd43050 Obama_Gift_China_2.pps\r\nhttps://securelist.com/the-dropping-elephant-actor/75328/\r\nPage 6 of 8\n\nfa94f2843639f7afec3c06799a8d222e PAK_CHINA_NAVAL_EXERCISEn.doc\r\n4d2bde1b3985d1e1088801d92d1d6ca9 pension_1.pps\r\n9a0534772ac23ff64e3c85b18fbec596 Reconciliation_China’s_PLAN.doc\r\n2c9b4d460e846d5814c2691ae4591c4f Stewardess1.doc\r\ndab037a9e02978bcd275ddaa15dab01d stewardess1.pps\r\n007c9c29786d0af81caf437fe626c6fe Stewardess2.doc\r\n8aae16b5e64445703d939bc7923ae7b7 stewardess2.pps\r\n036a45983df8f81bf1875097fc026b04 syria_china.pps\r\na8b9a32723452d27257924a737ec1bed TaiwanDiplomaticAccess_1.pps\r\nf16ee3123d5eb21c053ac95e7cd4f203 TaiwanDiplomaticAccess_2.pps\r\n71ce64fee9cd323828a44e9228d2736b tibetculture_1.pps\r\nb5e5e428b31a8affe48fdf6b8a253dc6 tibetculture_2.pps\r\nd64efa0b8c091b8dbed3635c2b711431 underestimatingUS_1.pps\r\n543fe62829b7b9435a247487cd2a9672 underestimatingUS_2.pps\r\n807796263fd236a041f3633ac578140e UruguayJan-Jun_1o.pps\r\n98e7dc26531469e6b968cb422371601a uruguayjan-jun_1.pps\r\n7eb1b6fefe7c5f86dcc914056928a17b UruguayJan-Jun_2o.pps\r\n7660c6189c928919b0776713d2755db2 uruguayjan-jun_2.pps\r\n7c4c866cf78be30229b75a3301345f44 UruguayJul-Dec_1o.pps\r\na4fcf3a441865ae17f2c80ff7c28543d uruguayjul-dec_1.pps\r\ndba585f7d5fc51566c663bd738de2c33 UruguayJul-Dec_2o.pps\r\nf7905a7bd6483a12ab36071363b012c3 uruguayjul-dec_2.pps\r\n409e3368af2add71265d2811aa9d6817 US_China.doc\r\n5a89f11f4bb3b5637c731e206f807ff7 us_srilanka_relations_1.pps\r\n7f50d3f4eabffe7225a2d5f0c91009c8 us_srilanka_relations_2.pps\r\n3d01d2a42450064c55574d853c086f9a WILL_ISIS_INFECT_BANGLADESH.doc\r\n1538a412fd4035954237c0b4c135fcba WILL_ISIS_INFECT_BANGLADESH.pps\r\neb0b18ecaa6f40e48970b08f3a3e6803 zodiac_1.pps\r\nda29f5eeb39332a850f04be2906315c1 zodiac_2.pps\r\nDomains and IPs\r\nhttp://www.epg-cn[.]com\r\nhttp://chinastrat[.]com\r\nhttp://www.chinastrats[.]com\r\nhttp://www.newsnstat[.]com\r\nhttp://cnmilit[.]com\r\nhttp://163-cn[.]org\r\nalfred.ignorelist[.]com\r\nhttp://5.254.98[.]68\r\nhttp://43.249.37[.]173\r\nhttp://85.25.79[.]230\r\nhttp://10.30.4[.]112\r\nhttps://securelist.com/the-dropping-elephant-actor/75328/\r\nPage 7 of 8\n\nhttp://5.254.98[.]68\r\nhttp://microsofl.mooo[.]com\r\nussainbolt.mooo[.]com\r\nussainbolt1.mooo[.]com\r\nupdatesys.zapto[.]org\r\nupdatesoft.zapto[.]org\r\nhttp://feeds.rapidfeeds[.]com/61594/\r\nhttp://wgeastchina.steelhome[.]cn/xml.xml\r\nhttp://hostmyrss[.]com/feed/players\r\nhttp://feeds.rapidfeeds[.]com/81908/\r\nhttp://feeds.rapidfeeds[.]com/79167/\r\nhttp://feeds.rapidfeeds[.]com/61594/\r\nUpdate: our friends from Cymmetria (https://www.cymmetria.com/) have released their analysis of the Dropping\r\nElephant / Patchwork APT – make sure to check it as well for more data about the attacks:\r\nhttps://www.cymmetria.com/patchwork-targeted-attack/\r\nSource: https://securelist.com/the-dropping-elephant-actor/75328/\r\nhttps://securelist.com/the-dropping-elephant-actor/75328/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-dropping-elephant-actor/75328/" ], "report_names": [ "75328" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434006, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8688aec5114fb87cf951ffe8ddd82540c30f6cae.pdf", "text": "https://archive.orkl.eu/8688aec5114fb87cf951ffe8ddd82540c30f6cae.txt", "img": "https://archive.orkl.eu/8688aec5114fb87cf951ffe8ddd82540c30f6cae.jpg" } }