{ "id": "0571e478-cfea-4dd2-97ad-4ef68248b120", "created_at": "2026-04-06T00:11:29.826507Z", "updated_at": "2026-04-10T03:38:01.716269Z", "deleted_at": null, "sha1_hash": "86995b727de720c782d7ec0d34affa03ed2ceddf", "title": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2198267, "plain_text": "DragonSpark | Attacks Evade Detection with SparkRAT and\r\nGolang Source Code Interpretation\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-01-24 · Archived: 2026-04-05 16:30:03 UTC\r\nBy Aleksandar Milenkoski, Joey Chen, and Amitai Ben Shushan Ehrlich\r\nExecutive Summary\r\nSentinelLABS tracks a cluster of recent opportunistic attacks against organizations in East Asia as\r\nDragonSpark.\r\nSentinelLABS assesses it is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks.\r\nThe attacks provide evidence that Chinese-speaking threat actors are adopting the little known open source\r\ntool SparkRAT.\r\nThe threat actors use Golang malware that implements an uncommon technique for hindering static\r\nanalysis and evading detection: Golang source code interpretation.\r\nThe DragonSpark attacks leverage compromised infrastructure located in China and Taiwan to stage\r\nSparkRAT along with other tools and malware.\r\nOverview\r\nSentinelLABS has been monitoring recent attacks against East Asian organizations we track as ‘DragonSpark’.\r\nThe attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to\r\nevade detection through Golang source code interpretation.\r\nThe DragonSpark attacks represent the first concrete malicious activity where we observe the consistent use of the\r\nopen source SparkRAT, a relatively new occurrence on the threat landscape. SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the RAT attractive to threat actors.\r\nThe Microsoft Security Threat Intelligence team reported in late December 2022 on indications of threat actors\r\nusing SparkRAT. However, we have not observed concrete evidence linking DragonSpark to the activity\r\ndocumented in the report by Microsoft.\r\nWe observed that the threat actor behind the DragonSpark attacks uses Golang malware that interprets embedded\r\nGolang source code at runtime as a technique for hindering static analysis and evading detection by static analysis\r\nmechanisms. This uncommon technique provides threat actors with yet another means to evade detection\r\nmechanisms by obfuscating malware implementations.\r\nIntrusion Vector\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 1 of 10\n\nWe observed compromises of web servers and MySQL database servers exposed to the Internet as initial\r\nindicators of the DragonSpark attacks. Exposing MySQL servers to the Internet is an infrastructure posture flaw\r\nthat often leads to severe incidents that involve data breaches, credential theft, or lateral movement across\r\nnetworks. At compromised web servers, we observed use of the China Chopper webshell, recognizable by the\r\n\u0026echo [S]\u0026cd\u0026echo [E] sequence in virtual terminal requests. China Chopper is commonly used by Chinese\r\nthreat actors, which are known to deploy the webshell through different vectors, such as exploiting web server\r\nvulnerabilities, cross-site scripting, or SQL injections.\r\nAfter gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral\r\nmovement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure.\r\nWe observed that the threat actor relies heavily on open source tools that are developed by Chinese-speaking\r\ndevelopers or Chinese vendors. This includes SparkRAT as well as other tools, such as:\r\nSharpToken: a privilege escalation tool that enables the execution of Windows commands with SYSTEM\r\nprivileges. The tool also features enumerating user and process information, and adding, deleting, or\r\nchanging the passwords of system users.\r\nBadPotato: a tool similar to SharpToken that elevates user privileges to SYSTEM for command execution.\r\nThe tool has been observed in an attack campaign conducted by a Chinese threat actor with the goal of\r\nacquiring intelligence.\r\nGotoHTTP: a cross-platform remote access tool that implements a wide array of features, such as\r\nestablishing persistence, file transfer, and screen view.\r\nIn addition to the tools above, the threat actor used two custom-built malware for executing malicious code:\r\nShellCode_Loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented\r\nin Golang.\r\nSparkRAT\r\nSparkRAT is a RAT developed in Golang and released as open source software by the Chinese-speaking developer\r\nXZB-1248. SparkRAT is a feature-rich and multi-platform tool that supports the Windows, Linux, and macOS\r\noperating systems.\r\nSparkRAT uses the WebSocket protocol to communicate with the C2 server and features an upgrade system. This\r\nenables the RAT to automatically upgrade itself to the latest version available on the C2 server upon startup by\r\nissuing an upgrade request. This is an HTTP POST request, with the commit query parameter storing the current\r\nversion of the tool.\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 2 of 10\n\nA SparkRAT upgrade request\r\nIn the attacks we observed, the version of SparkRAT was 6920f726d74efb7836a03d3acfc0f23af196765e , built on\r\n1 November 2022 UTC. This version supports 26 commands that implement a wide range of functionalities:\r\nCommand execution: including execution of arbitrary Windows system and PowerShell commands.\r\nSystem manipulation: including system shutdown, restart, hibernation, and suspension.\r\nFile and process manipulation: including process termination as well as file upload, download, and\r\ndeletion.\r\nInformation theft: including exfiltration of platform information (CPU, network, memory, disk, and system\r\nuptime information), screenshot theft, and process and file enumeration.\r\nSparkRAT version\r\nGolang Source Code Interpretation For Evading Detection\r\nThe Golang malware m6699.exe uses the Yaegi framework to interpret at runtime encoded Golang source code\r\nstored within the compiled binary, executing the code as if compiled. This is a technique for hindering static\r\nanalysis and evading detection by static analysis mechanisms.\r\nThe main purpose of m6699.exe is to execute a first-stage shellcode that implements a loader for a second-stage\r\nshellcode.\r\nm6699.exe first decodes a Base-64 encoded string. This string is Golang source code that conducts the following\r\nactivities:\r\nDeclares a Main function as part of a Run package. The run.Main function takes as a parameter a byte\r\narray – the first-stage shellcode.\r\nThe run.Main function invokes the HeapCreate function to allocate executable and growable heap\r\nmemory ( HEAP_CREATE_ENABLE_EXECUTE ).\r\nThe run.Main function places the first-stage shellcode, supplied to it as a parameter when invoked, in the\r\nallocated memory and executes it.\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 3 of 10\n\nGolang source code in m6699.exe\r\nm6699.exe then evaluates the source code in the context of the Yaegi interpreter and uses Golang reflection to\r\nexecute the run.Main function. m6699.exe passes as a parameter to run.Main the first-stage shellcode, which\r\nthe function executes as previously described. m6699.exe stores the shellcode as a double Base64-encoded string,\r\nwhich the malware decodes before passing to run.Main for execution.\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 4 of 10\n\nThe first-stage shellcode that run.Main executes in double Base64-encoded and decoded form\r\nThe first-stage shellcode implements a shellcode loader. The shellcode connects to a C2 server using the Windows\r\nSockets 2 library and receives a 4-byte big value. This value is the size of a second-stage shellcode for which the\r\nfirst-stage shellcode allocates memory of the received size. The first-stage shellcode then receives from the C2\r\nserver the second-stage shellcode and executes it.\r\nWhen m6699.exe executes, the threat actor can establish a Meterpreter session for remote command execution.\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 5 of 10\n\nA Meterpreter session with an m6699.exe instance (in a lab environment)\r\nShellCode_Loader\r\nShellCode_Loader is the internal name of a PyInstaller-packaged malware that is implemented in Python.\r\nShellCode_Loader serves as the loader of a shellcode that implements a reverse shell.\r\nShellCode_Loader uses encoding and encryption to hinder static analysis. The malware first Base-64 decodes and\r\nthen decrypts the shellcode. ShellCode_Loader uses the AES CBC encryption algorithm, and Base-64 encoded\r\nAES key and initialization vector for the decryption.\r\nShellCode_Loader decodes and decrypts shellcode\r\nShellCode_Loader uses the Python ctypes library for accessing the Windows API to load the shellcode in memory\r\nand start a new thread that executes the shellcode. The Python code that conducts these activities is Base-64\r\nencoded in an attempt to evade static analysis mechanisms that alert on the use of Windows API for malicious\r\npurposes.\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 6 of 10\n\nShellCode_Loader executes shellcode\r\nThe shellcode creates a thread and connects to a C2 server using the Windows Sockets 2 library. When the\r\nshellcode executes, the threat actor can establish a Meterpreter session for remote command execution.\r\nA Meterpreter session with a ShellCode_Loader instance (in a lab environment)\r\nInfrastructure\r\nThe DragonSpark attacks leveraged infrastructure located in Taiwan, Hong Kong, China, and Singapore to stage\r\nSparkRAT and other tools and malware. The C2 servers were located in Hong Kong and the United States.\r\nThe malware staging infrastructure includes compromised infrastructure of legitimate Taiwanese organizations\r\nand businesses, such as a baby product retailer, an art gallery, and games and gambling websites. We also\r\nobserved an Amazon Cloud EC2 instance as part of this infrastructure.\r\nThe tables below provide an overview of the infrastructure used in the DragonSpark attacks.\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 7 of 10\n\nMalware staging infrastructure\r\nIP address/Domain Country Notes\r\n211.149.237[.]108 China\r\nA compromised server hosting web content related to\r\ngambling.\r\n43.129.227[.]159\r\nHong\r\nKong\r\nA Windows Server 2012 R2 instance with a computer name\r\nof 172_19_0_3 . The threat actors may have obtained access\r\nto this server using a shared or bought account. We observed\r\nlogin credentials with the server’s name being shared over\r\ndifferent time periods in the Telegram channels King of\r\nVP$ and SellerVPS for sharing and/or selling access to\r\nvirtual private servers.\r\nwww[.]bingoplanet[.]com[.]tw Taiwan\r\nA compromised server hosting web content related to\r\ngambling. The website resources have been removed at the\r\ntime of writing. The domain has been co-hosted with several\r\nother websites of legitimate business, including travel\r\nagencies and an English preschool.\r\nwww[.]moongallery.com[.]tw Taiwan\r\nA compromised server hosting the website of the Taiwanese\r\nart gallery Moon Gallery.\r\nwww[.]holybaby.com[.]tw Taiwan\r\nA compromised server hosting the website of the Taiwanese\r\nbaby product shop retailer Holy Baby.\r\n13.213.41[.]125 Singapore An Amazon Cloud EC2 instance named EC2AMAZ-4559AU9 .\r\nC2 server infrastructure\r\nIP\r\naddress/Domain\r\nCountry Notes\r\n103.96.74[.]148\r\nHong\r\nKong\r\nA Windows Server 2012 R2 instance with a computer name of\r\nCLOUD2012R2 .\r\nThe threat actors may have obtained access to this server using a shared or\r\nbought account. We observed login credentials with the server’s name\r\nbeing shared over different time periods in the Telegram channels\r\nPremium Acc , IRANHACKERS , and !Only For Voters for sharing and/or\r\nselling access to virtual private servers.\r\nThis set of infrastructure was observed resolving to\r\njiance.ittoken[.]xyz at the time of writing. This specific domain can\r\nbe linked to a wider set of Chinese phishing infrastructure over the past\r\nfew years. It is unclear if they are related to this same actor.\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 8 of 10\n\n104.233.163[.]190\r\nUnited\r\nStates\r\nA Windows Server 2012 R2 instance with a computer name of WIN-CLC0OFDKTMK .\r\nThe most recent passive DNS record related to this IP address points to a\r\ndomain name with a Chinese TLD – kanmn[.]cn . However, this is\r\nshared hosting infrastructure through Aquanx and likely used by a variety\r\nof customers.\r\nThis IP address is known to have hosted a Cobalt Strike C2 server and\r\nbeen involved in other malicious activities, such as hosting known\r\nmalware samples.\r\nAttribution Analysis\r\nWe assess it is highly likely that a Chinese-speaking threat actor is behind the DragonSpark attacks. We are unable\r\nat this point to link DragonSpark to a specific threat actor due to lack of reliable actor-specific indicators.\r\nThe actor may have espionage or cybercrime motivations. In September 2022, a few weeks before we first spotted\r\nDragonSpark indicators, a sample of Zegost malware (bdf792c8250191bd2f5c167c8dbea5f7a63fa3b4) – an info-stealer historically attributed to Chinese cybercriminals, but also observed as part of espionage campaigns  – was\r\nreported communicating with 104.233.163[.]190 . We observed this same C2 IP address as part of the\r\nDragonSpark attacks. Previous research by the Weibu Intelligence Agency (微步情报局) reported that Chinese\r\ncybercrime actor FinGhost was using Zegost, including a variant of the sample mentioned above.\r\nIn addition, the threat actor behind DragonSpark used the China Chopper webshell to deploy malware. China\r\nChopper has historically been consistently used by Chinese cybercriminals and espionage groups, such as the TG-3390 and Leviathan. Further, all of the open source tools used by the threat actor conducting DragonSpark attacks\r\nare developed by Chinese-speaking developers or Chinese vendors. This includes SparkRAT by XZB-1248,\r\nSharpToken and BadPotato by BeichenDream, and GotoHTTP by Pingbo Inc.\r\nFinally, the malware staging infrastructure is located exclusively in East Asia (Taiwan, Hong Kong, China, and\r\nSingapore), behavior which is common amongst Chinese-speaking threat actors targeting victims in the region.\r\nThis evidence is consistent with our assessment that the DragonSpark attacks are highly likely orchestrated by a\r\nChinese-speaking threat actor.\r\nConclusions\r\nChinese-speaking threat actors are known to frequently use open source software in malicious campaigns. The\r\nlittle known SparkRAT that we observed in the DragonSpark attacks is among the newest additions to the toolset\r\nof these actors.\r\nSince SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate\r\nthat the RAT will remain attractive to cybercriminals and other threat actors in the future.\r\nIn addition, threat actors will almost certainly continue exploring techniques and specificalities of execution\r\nenvironments for evading detection and obfuscating malware, such as Golang source code interpretation that we\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 9 of 10\n\ndocument in this article.\r\nSentinelLABS continues to monitor the DragonSpark cluster of activities and hopes that defenders will leverage\r\nthe findings presented in this article to bolster their defenses.\r\nIndicators of Compromise\r\nDescription Indicator\r\nShellCode_Loader (a PyInstaller package) 83130d95220bc2ede8645ea1ca4ce9afc4593196\r\nm6699.exe 14ebbed449ccedac3610618b5265ff803243313d\r\nSparkRAT 2578efc12941ff481172dd4603b536a3bd322691\r\nC2 server network endpoint for ShellCode_Loader 103.96.74[.]148:8899\r\nC2 server network endpoint for SparkRAT 103.96.74[.]148[:]6688\r\nC2 server network endpoint for m6699.exe 103.96.74[.]148:6699\r\nC2 server IP address for China Chopper 104.233.163[.]190\r\nStaging URL for ShellCode_Loader hxxp://211.149.237[.]108:801/py.exe\r\nStaging URL for m6699.exe hxxp://211.149.237[.]108:801/m6699.exe\r\nStaging URL for SparkRAT hxxp://43.129.227[.]159:81/c.exe\r\nStaging URL for GotoHTTP hxxp://13.213.41.125:9001/go.exe\r\nStaging URL for ShellCode_Loader hxxp://www.bingoplanet[.]com[.]tw/images/py.exe\r\nStaging URL for ShellCode_Loader hxxps://www.moongallery.com[.]tw/upload/py.exe\r\nStaging URL for ShellCode_Loader hxxp://www.holybaby.com[.]tw/api/ms.exe\r\nSource: https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nhttps://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "report_names": [ "dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "235831df-8daf-4a88-945e-db4e7ef06ac6", "created_at": "2023-11-17T02:00:07.606121Z", "updated_at": "2026-04-10T02:00:03.458263Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "MISPGALAXY:DragonSpark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "99aa0795-8936-45db-a397-6d01131fcdcd", "created_at": "2023-02-18T02:04:24.085379Z", "updated_at": "2026-04-10T02:00:04.654299Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "ETDA:DragonSpark", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "GotoHTTP", "SharpToken", "SinoChopper", "SparkRAT" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434289, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/86995b727de720c782d7ec0d34affa03ed2ceddf.pdf", "text": "https://archive.orkl.eu/86995b727de720c782d7ec0d34affa03ed2ceddf.txt", "img": "https://archive.orkl.eu/86995b727de720c782d7ec0d34affa03ed2ceddf.jpg" } }