{ "id": "b1b537a1-2d9a-43de-aaf5-eaca03820533", "created_at": "2026-04-06T00:15:21.089528Z", "updated_at": "2026-04-10T13:11:35.499082Z", "deleted_at": null, "sha1_hash": "8736823b2fe9a6190a850ad8f8ba90fc3c66c1e9", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 560314, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 16:25:26 UTC\r\nView the indicators of compromise for this attack group.\r\nMany security-minded organizations utilize code signing to provide an additional layer of security and\r\nauthenticity for their software and files. Code signing is carried out using a type of digital certificate known as a\r\ncode-signing certificate. The process of code signing validates the authenticity of legitimate software by\r\nconfirming that an application is from the organization who signed it. While code-signing certificates can offer\r\nmore security, they can also live an unintended secret life providing cover for attack groups, such as the Suckfly\r\nAPT group.\r\nIn late 2015, Symantec identified suspicious activity involving a hacking tool used in a malicious manner against\r\none of our customers. Normally, this is considered a low-level alert easily defeated by security software. In this\r\ncase, however, the hacktool had an unusual characteristic not typically seen with this type of file; it was signed\r\nwith a valid code-signing certificate. Many hacktools are made for less than ethical purposes and are freely\r\navailable, so this was an initial red flag, which led us to investigate further.\r\nAs our investigation continued, we soon realized this was much larger than a few hacktools. We discovered\r\nSuckfly, an advanced threat group, conducting targeted attacks using multiple stolen certificates, as well as\r\nhacktools and custom malware. The group had obtained the certificates through pre-attack operations before\r\ncommencing targeted attacks against a number of government and commercial organizations spread across\r\nmultiple continents over a two-year period. This type of activity and the malicious use of stolen certificates\r\nemphasizes the importance of safeguarding certificates to prevent them from being used maliciously.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 9\n\nAn appetite for stolen code-signing certificates\r\nSuckfly has a number of hacktools and malware varieties at its disposal. Figure 1 identifies the malware and tools\r\nbased on functionality and the number of signed files with unique hashes associated with them.\r\nFigure 1. Suckfly hacking tools and malware, characterized by functionality\r\nThe first signed hacktool we identified in late 2015 was a digitally signed brute-force server message block (SMB)\r\nscanner. The organization associated with this certificate is a South Korean mobile software developer. While we\r\nbecame initially curious because the hacktool was signed, we became more suspicious when we realized a mobile\r\nsoftware developer had signed it, since this is not the type of software typically associated with a mobile\r\napplication.\r\nBased on this discovery, we began to look for other binaries signed with the South Korean mobile software\r\ndeveloper's certificate. This led to the discovery of three additional hacktools also signed using this certificate. In\r\naddition to being signed with a stolen certificate, the identified hacktools had been used in suspicious activity\r\nagainst a US-based health provider operating in India. This evidence indicates that the certificate’s rightful owner\r\neither misused it or it had been stolen from them. Symantec worked with the certificate owner to confirm that the\r\nhacktool was not associated with them.\r\nFollowing the trail further, we traced malicious traffic back to where it originated from and looked for additional\r\nevidence to indicate that the attacker persistently used the same infrastructure. We discovered the activity\r\noriginated from three separate IP addresses, all located in Chengdu, China.\r\nIn addition to the traffic originating from Chengdu, we identified a selection of hacktools and malware signed\r\nusing nine stolen certificates.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 9\n\nThe nine stolen certificates originated from nine different companies who are physically located close together\r\naround the central districts of Seoul, South Korea. Figure 2 shows the region in which the companies are located.\r\nFigure 2. Map showing the central districts of Seoul, where the companies with the stolen certificates are located\r\n(Map data © 2016 SK planet)\r\nWhile we do not know the exact circumstances of how the certificates were stolen, the most likely scenario was\r\nthat the companies were breached with malware that had the ability to search for and extract certificates from\r\nwithin the organization. We have seen this capability built into a wide range of threats for a number of years now.\r\nThe organizations who owned the stolen certificates were from four industries (see Figure 3).\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 9\n\nFigure 3. Owners of stolen certificates, by industry\r\nA timeline of misuse\r\nWe don't know the exact date Suckfly stole the certificates from the South Korean organizations. However, by\r\nanalyzing the dates when we first saw the certificates paired with hacktools or malware, we can gain insight into\r\nwhen the certificates may have been stolen. Figure 4 details how many times each stolen certificate was used in a\r\ngiven month.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 9\n\nFigure 4. Tracking Suckfly’s use of stolen certificates, by month\r\nThe first sighting of three of the nine stolen certificates being used maliciously occurred in early 2014. Those\r\nthree certificates were the only ones used in 2014, making it likely that the other six were not compromised until\r\n2015. All nine certificates were used maliciously in 2015.\r\nBased on the data in Figure 4, the first certificates used belonged to Company A (educational software developer)\r\nand Company B (video game developer #2). Company A's certificate was used for over a year, from April 2014\r\nuntil June 2015 and Company B's certificate was used for almost a year, from July 2014 until June 2015. When we\r\ndiscovered this activity, neither company was aware that their certificates had been stolen or how they were being\r\nused. Since the companies were unaware of the activity, neither stolen certificate had been revoked. When a\r\ncertificate is revoked, the computer displays a window explaining that the certificate cannot be verified and should\r\nnot be trusted before asking the user if they want to continue with the installation.\r\nSigned, sealed, and delivered\r\nAs noted earlier, the stolen certificates Symantec identified in this investigation were used to sign both hacking\r\ntools and malware. Further analysis of the malware identified what looks like a custom back door. We believe\r\nSuckfly specifically developed the back door for use in cyberespionage campaigns. Symantec detects this threat as\r\nBackdoor.Nidiran.\r\nAnalysis of Nidiran samples determined that the back door had been updated three times since early 2014, which\r\nfits the timeline outlined in Figure 4. The modifications were minor and likely performed to add capabilities and\r\navoid detection. While the malware is custom, it only provides the attackers with standard back door capabilities.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 9\n\nSuckfly delivered Nidiran through a strategic web compromise. Specifically, the threat group used a specially\r\ncrafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability\r\n(CVE-2014-6332), which affects specific versions of Microsoft Windows. This exploit is triggered when a\r\npotential victim browses to a malicious page using Internet Explorer, which can allow the attacker to execute code\r\nwith the same privileges as the currently logged-in user.\r\nOnce exploit has been achieved, Nidiran is delivered through a self-extracting executable that extracts the\r\ncomponents to a .tmp folder after it has been executed. The threat then executes “svchost.exe”, a PE file, which is\r\nactually a clean tool known as OLEVIEW.EXE. The executable will then load iviewers.dll, which is normally a\r\nclean, legitimate file. Attackers have been known to distribute malicious files masquerading as the legitimate\r\niviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer. This\r\ntechnique is associated with the Korplug/Plug-x malware and is frequently used in China-based cyberespionage\r\nactivity.\r\nHigh demand for code-signing certificates\r\nSuckfly isn’t the only attack group to use certificates to sign malware but they may be the most prolific collectors\r\nof them. After all, Stuxnet, widely regarded as the world’s first known cyberweapon, was signed using stolen\r\ncertificates from companies based in Taiwan with dates much earlier than Suckfly. Other cyberespionage groups,\r\nincluding Black Vine and Hidden Lynx, have also used stolen certificates in their campaigns.\r\nIn April 2013, a third-party vendor published a report about a cyberespionage group using custom malware and\r\nstolen certificates in their operations. The report documented an advanced threat group they attributed to China.\r\nSymantec tracks the group behind this activity as Blackfly and detects the malware they use as Backdoor.Winnti.\r\nThe Blackfly attacks share some similarities with the more recent Suckfly attacks. Blackfly began with a\r\ncampaign to steal certificates, which were later used to sign malware used in targeted attacks. The certificates\r\nBlackfly stole were also from South Korean companies, primarily in the video game and software development\r\nindustry. Another similarity is that Suckfly stole a certificate from Company D (see Figure 4) less than two years\r\nafter Blackfly had stolen a certificate from the same company. While the stolen certificates were different, and\r\nstolen in separate instances, they were both used with custom malware in targeted attacks originating from China.\r\nWhy do attackers want signed malware?\r\nSigning malware with code-signing certificates is becoming more common, as seen in this investigation and the\r\nother attacks we have discussed. Attackers are taking the time and effort to steal certificates because it is\r\nbecoming necessary to gain a foothold on a targeted computer. Attempts to sign malware with code-signing\r\ncertificates have become more common as the Internet and security systems have moved towards a more trust and\r\nreputation oriented model. This means that untrusted software may not be allowed to run unless it is signed.\r\nAs we noted in our previous research on the Apple threat landscape, some operating systems, such as Mac OS X,\r\nare configured by default to only allow applications to run if they have been signed with a valid certificate,\r\nmeaning they are trusted.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 6 of 9\n\nFigure 5. Mac OS X can be configured to only permit trusted apps to execute\r\nHowever, using valid code-signing certificates stolen from organizations with a positive reputation can allow\r\nattackers to piggyback on that company’s trust, making it easier to slip by these defenses and gain access to\r\ntargeted computers.\r\nConclusion\r\nSuckfly paints a stark picture of where cyberattack groups and cybercriminals are focusing their attentions. Our\r\ninvestigation shines a light on an often unknown and seedier secret life of code-signing certificates, which is\r\ncompletely unknown to their owners. The implications of this study shows that certificate owners need to keep a\r\ncareful eye on them to prevent them from falling into the wrong hands. It is important to give certificates the\r\nprotection they need so they can't be used maliciously.\r\nThe certificates are only as secure as the safeguards that organizations put around them. Once a certificate has\r\nbeen compromised, so has the reputation of the organization who signed it. An organization whose certificate has\r\nbeen stolen and used to sign malware will always be associated with that activity.\r\nSymantec monitors for this type of activity to help prevent organizations from being tied to malicious actions\r\nundertaken with their stolen certificates. During the course of this investigation, we ensured that all certificates\r\ncompromised by Suckfly were revoked and the affected companies notified.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 7 of 9\n\nOver the past few years, we have seen a number of advanced threats and cybercrime groups who have stolen code-signing certificates. In all of the cases involving an advanced threat, the certificates were used to disguise malware\r\nas a legitimate file or application.\r\nAs this trend grows, it is more important than ever for organizations to maintain strong cybersecurity practices and\r\nstore their certificates and corresponding keys in a secure environment. Using encryption, and services such as\r\nSymantec’s Extended Validation (EV) Code Signing, and Symantec’s Secure App Service can provide additional\r\nlayers of security.\r\nProtection\r\nSymantec has the following detections in place to protect against Suckfly’s malware:\r\nAntivirus\r\nBackdoor.Nidiran\r\nBackdoor.Nidiran!g1\r\nHacktool\r\nExp.CVE-2014-6332\r\nIntrusion prevention system\r\nWeb Attack: Microsoft OleAut32 RCE CVE-2014-6332\r\nWeb Attack: Microsoft OleAut32 RCE CVE-2014-6332 2\r\nWeb Attack: Microsoft OleAut32 RCE CVE-2014-6332 4\r\nWeb Attack: OLEAUT32 CVE-2014-6332 3\r\nSystem Infected: Trojan.Backdoor Activity 120\r\nFurther information\r\nTo learn more about Symantec’s digital certificate solutions for code signing, please visit our Code Signing\r\nInformation Center.\r\nTo learn more about how best to protect your code-signing certificates, read our whitepaper: Securing Your\r\nPrivate Keys As Best Practice for Code Signing Certificates\r\nUpdate – March 18, 2016\r\nIndicators of compromise\r\nFile hashes\r\n05edd53508c55b9dd64129e944662c0d\r\n1cf5ce3e3ea310b0f7ce72a94659ff54\r\n352eede25c74775e6102a095fb49da8c\r\n3b595d3e63537da654de29dd01793059\r\n4709395fb143c212891138b98460e958\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 8 of 9\n\n50f4464d0fc20d1932a12484a1db4342\r\n96c317b0b1b14aadfb5a20a03771f85f\r\nba7b1392b799c8761349e7728c2656dd\r\nde5057e579be9e3c53e50f97a9b1832b\r\ne7d92039ffc2f07496fe7657d982c80f\r\ne864f32151d6afd0a3491f432c2bb7a2\r\nInfrastructure\r\nusv0503[.]iqservs-jp.com\r\naux[.]robertstockdill.com\r\nfli[.]fedora-dns-update.com\r\nbss[.]pvtcdn.com\r\nssl[.]microsoft-security-center.com\r\nssl[.]2upgrades.com\r\n133.242.134.121\r\nfli[.]fedora-dns-update.com\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "report_names": [ "viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "threat_actors": [ { "id": "aada2650-7bef-45e4-8371-18c4318a7056", "created_at": "2022-10-25T15:50:23.422502Z", "updated_at": "2026-04-10T02:00:05.278662Z", "deleted_at": null, "main_name": "Suckfly", "aliases": [ "Suckfly" ], "source_name": "MITRE:Suckfly", "tools": [ "Nidiran" ], "source_id": "MITRE", "reports": null }, { "id": "a4a3c2a4-992d-4ce6-8c97-e39b23da9a26", "created_at": "2022-10-25T16:07:24.242051Z", "updated_at": "2026-04-10T02:00:04.909353Z", "deleted_at": null, "main_name": "Suckfly", "aliases": [ "G0039" ], "source_name": "ETDA:Suckfly", "tools": [ "Backdoor.Nidiran", "Nidiran", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "gsecdump", "smbscan" ], "source_id": "ETDA", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434521, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8736823b2fe9a6190a850ad8f8ba90fc3c66c1e9.pdf", "text": "https://archive.orkl.eu/8736823b2fe9a6190a850ad8f8ba90fc3c66c1e9.txt", "img": "https://archive.orkl.eu/8736823b2fe9a6190a850ad8f8ba90fc3c66c1e9.jpg" } }