{ "id": "2122032f-e24e-4d1c-9aeb-b7ad7960b7f7", "created_at": "2026-04-06T00:15:43.27745Z", "updated_at": "2026-04-10T13:13:01.71334Z", "deleted_at": null, "sha1_hash": "88a4cfd8e88bd252a570ccceadd2cec23f6ef9e2", "title": "Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2250194, "plain_text": "Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve\r\nTactics to Avoid Detection | Mandiant\r\nBy Mandiant\r\nPublished: 2023-07-18 · Archived: 2026-04-05 18:45:42 UTC\r\nWritten by: Mandiant Intelligence\r\nMandiant Intelligence is tracking several ways in which Chinese cyber espionage activity has increasingly\r\nleveraged initial access and post-compromise strategies intended to minimize opportunities for detection.\r\nSpecifically, this analysis highlights Chinese threat groups’ exploitation of zero-days in security, networking, and\r\nvirtualization software, and targeting of routers and other methods to relay and disguise attacker traffic both\r\noutside and inside victim networks. We assess with high confidence that Chinese cyber espionage groups are using\r\nthese techniques to avoid detection and complicate attribution.\r\nFigure 1: Chinese cyber espionage detection evasion tactics\r\nThis post builds upon previous analysis in which Mandiant assessed that Chinese cyber espionage operators’\r\ntactics had steadily evolved to become more agile, stealthier, and complex to attribute in the years following the\r\nmid 2010s military and intelligence restructuring. The research cites increased use of living-off-the-land (LotL)\r\ntechniques, software supply chain compromise, and publicly available, fileless, or modular malware as evidence\r\nof increased stealth.\r\nChina Focuses on Networking, Security, and Virtualization Software\r\nMandiant Intelligence assesses with high confidence that Chinese cyber espionage zero-day exploitation in 2021\r\nand 2022 has focused on security, networking, and virtualization technologies because targeting these devices\r\nhttps://www.mandiant.com/resources/blog/chinese-espionage-tactics\r\nPage 1 of 8\n\naffords several tactical advantages in obtaining and retaining surreptitious access to victim networks.\r\nFor instance, security and networking devices are “edge devices,” meaning they are accessible to the internet.\r\nWith a successful exploit, an attacker can achieve initial access without human interaction, decreasing chances of\r\ndetection. As long as the exploit remains undiscovered, the threat actor can reuse it to gain access to additional\r\nvictims, or reestablish access to targeted systems. Moreover, both edge devices and virtualization software are\r\nchallenging to monitor and may not support endpoint detection and response (EDR) solutions or methods to detect\r\nmodifications or collect forensic images, further reducing the likelihood of detection and complicating attribution.\r\nTwo recent campaigns exemplify notable strategies Chinese threat actors have used to maximize stealth including,\r\nbut not limited to, zero-day exploitation.\r\nUNC3886 Burned Two Zero-Days in Complex Ops against Hard Targets\r\nIn 2022, Mandiant investigated incidents in which suspected Chinese cyber espionage actor, UNC3886, used\r\nmultiple attack paths and two zero-day vulnerabilities to establish persistence at targeted organizations and\r\nultimately gain access to virtualized environments. UNC3886 has primarily targeted defense industrial base\r\n(DIB), technology, and telecommunication organizations in the U.S. and Asia.\r\nUNC3886 took extraordinary measures to remain undetected in victim environments. The attackers limited their\r\npresence on networks to Fortinet security devices and VMware virtualization technologies, devices and platforms\r\nthat traditionally lack EDR solutions. The group’s custom malware and exploits prioritized circumventing logs\r\nand security controls, for example, using non-traditional protocols (VMCI sockets) that are not logged by default\r\nand have no security restrictions to interact between hypervisors and guest virtual machines (VMs). UNC3886\r\nalso cleared and modified logs and disabled file system verification on startup to avoid getting detected.\r\nThe threat actor used malware families designed to interact with Fortinet devices, including THINCRUST,\r\nCASTLETAP, TABLEFLIP, and REPTILE. UNC3886 took advantage of path traversal vulnerability CVE-2022-41328 to overwrite legitimate files in a normally restricted system directory (Figure 2).\r\nWith access to targeted organizations’ Fortinet devices, the threat actor interacted with VMware vCenter\r\nservers and leveraged malicious vSphere Installation Bundles (“VIBs”) to install customized backdoors\r\nVIRTUALPITA and VIRTUALPIE on ESXi hypervisors. UNC3886 exploited an authentication bypass\r\nvulnerability CVE-2023-20867 on ESXi hosts to enable the execution of privileged commands on guest\r\nVMs with no additional logs generated on guest VMs.\r\nhttps://www.mandiant.com/resources/blog/chinese-espionage-tactics\r\nPage 2 of 8\n\nFigure 2: UNC3886 exploits two zero-days in complex operations\r\nMandiant recommends organizations using ESXi and the VMware infrastructure suite follow the hardening steps\r\noutlined in this blog post to minimize the attack surface of ESXi hosts, and refer to this additional guide laying out\r\ndetection, containment, and hardening opportunities to counter observed UNC3886 operations.\r\nhttps://www.mandiant.com/resources/blog/chinese-espionage-tactics\r\nPage 3 of 8\n\nUNC4841 Exploitation of Barracuda ESG Began Stealthy, Turned Aggressive\r\nBeginning in at least October 2022, suspected Chinese cyber espionage actor UNC4841 exploited a zero-day\r\nvulnerability, CVE-2023-2868, in Barracuda Email Security Gateway (ESG) appliances in a campaign targeting\r\npublic and private organizations worldwide. In several cases we observed evidence of the actor searching for\r\nemail data of interest before staging it for exfiltration. The actor showed specific interest in information of\r\npolitical or strategic interest to China. This included the global targeting of governments and organizations\r\nassociated with verticals of high priority to China. Further, in the set of entities selected for focused data\r\nexfiltration, shell scripts were uncovered that targeted email domains and users from Ministries of Foreign Affairs\r\n(MFAs) of ASEAN member nations as well as individuals within foreign trade offices and academic research\r\norganizations in Taiwan and Hong Kong.\r\nUNC4841 sought to disguise elements of its activity in a number of ways. In addition to continuing the pattern of\r\ntargeting a security appliance, UNC4841 sent emails with specially crafted TAR file attachments that exploited\r\nCVE-2023-2868 and allowed the attackers to execute arbitrary system commands with the elevated privileges of\r\nthe ESG product (Figure 3). We assess that the subject line and body of the emails UNC4841 sent as part of this\r\ncampaign were likely crafted to be caught in spam filters and discourage further investigation. Mandiant has\r\nobserved advanced groups exploiting zero-days use this tactic in the past. UNC4841 also developed custom\r\nmalware utilizing naming conventions consistent with legitimate ESG files (including SALTWATER, SEASIDE,\r\nSEASPY) as well as inserted custom backdoor code into legitimate Barracuda modules (including SEASPRAY\r\nand SKIPJACK). In some cases, UNC4841 used legitimate self-signed SSL temporary certificates that are shipped\r\non ESG appliances for setup purposes as well as certificates stolen from victim environments to masquerade the\r\ncommand and control (C2) traffic.\r\nFigure 3: SEASPY attack path\r\nAnother remarkable element of this campaign was the threat actor’s aggressive response to remediation efforts and\r\nthe activity going public. Following Barracuda’s vulnerability disclosure and initial remediation actions,\r\nUNC4841 countered by moving rapidly to alter its malware, employ additional persistence mechanisms, and\r\nmove laterally in an attempt to maintain access to compromised environments. Barracuda currently recommends\r\nhttps://www.mandiant.com/resources/blog/chinese-espionage-tactics\r\nPage 4 of 8\n\nreplacing compromised appliances. Mandiant also released a hardening, remediation, and hunting guide for\r\nBarracuda ESG devices earlier this year.\r\nAdditional Examples\r\nThe previous case studies represent just two among a growing list of notable Chinese cyber espionage incidents\r\nand campaigns exploiting zero-days in security and networking products.\r\nMandiant described exploitation of CVE-2022-42475, a vulnerability in Fortinet's FortiOS SSL-VPN, with\r\nthe earliest evidence dating to October 2022.\r\nIn December 2022, Citrix reported in-the-wild exploitation of CVE-2022-27518 in its Application Delivery\r\nController (ADC), which the U.S. National Security Agency (NSA) attributed to APT5.\r\nIn March 2022, Sophos reported in-the-wild exploitation of CVE-2022-1040 in its Firewall product, which\r\nVolexity linked to Chinese cyber espionage actors.\r\nMandiant investigated multiple intrusions that occurred between August 2020 and March 2021 and\r\ninvolved exploitation of CVE-2021-22893 in Pulse Secure VPNs.\r\nIn March 2021, Mandiant identified three zero-day vulnerabilities that were exploited in SonicWall's Email\r\nSecurity (ES) product (CVE-2021-20021, CVE-2021-20022, CVE-2021-20023).\r\nChinese Actors Disguise External and Internal Traffic with Botnets and Tunnels\r\nMore frequently in the last three years, Mandiant has identified examples of Chinese cyber espionage operations\r\nusing botnets of compromised internet of things (IoT) devices, smart devices, and routers to disguise external\r\ntraffic between C2 infrastructure and victim environments, as well as numerous malware families that include\r\nfunctionalities to covertly relay attacker traffic within compromised networks. We judge that the operators are\r\nusing these tactics to evade detection and to complicate attribution.\r\nBotnet-as-Smokescreen\r\nWe identified a number of examples of Chinese cyber espionage groups using botnets to obfuscate traffic between\r\nattackers and victim networks, including APT41, APT31, APT15, TEMP.Hex, and Volt Typhoon.\r\nIn May 2023, Microsoft reported Chinese cyber espionage activity dubbed “Volt Typhoon” targeting\r\ncritical infrastructure organizations in the United States. In conjunction with other techniques, likely\r\nintended to limit detection opportunities, the threat actor reportedly used a botnet of compromised SOHO\r\ndevices to route network traffic.\r\nMandiant believes the activity described in Microsoft’s report overlaps substantially with an activity\r\ncluster we have seen targeting government and transportation organizations, as well as exploiting a\r\nrecently disclosed vulnerability in Zoho ADSelfService Plus.\r\nIn 2023, CheckPoint described a suspected Chinese cyber espionage group it describes as “Camaro\r\nDragon” using a custom backdoor dubbed “Horse Shell” in activity targeting European foreign affairs\r\norganizations. Horse Shell is a malicious implant that was discovered within a modified TP-Link router\r\nfirmware image. It enables the attacker to establish an SSH encrypted SOCKS proxy and transfer files.\r\nCheckPoint assesses that the threat actor infected residential routers to obfuscate traffic between command\r\nhttps://www.mandiant.com/resources/blog/chinese-espionage-tactics\r\nPage 5 of 8\n\nand control servers and compromised victims. Mandiant has not independently verified this activity, but the\r\nreported network infrastructure has limited overlaps to public reporting we track as TEMP.Hex.\r\nIn 2022 PricewaterhouseCoopers (PwC) reported on BPFDOOR malware, which allegedly received\r\ncommands from virtual private servers (VPS) that were controlled by a network of Taiwan-based\r\ncompromised routers.\r\nMandiant has observed evidence that an activity cluster potentially related to APT41 used\r\nBPFDOOR to target South Asian government organizations and a Chinese multinational\r\ncorporation.\r\nPwC also reported that it observed Chinese cyber espionage actor Red Vulture using a shared proxy\r\nnetwork dubbed RedRelay in 2021 and 2022. Red Vulture is described as corresponding to APT15, APT25,\r\nand Ke3chang.\r\nFrench and U.S. authorities issued public reports highlighting Chinese state sponsored actors’ exploitation\r\nof network devices such as small office/home office (SOHO) routers to route traffic between C2\r\ninfrastructure and victim networks (see Figure 4). The 2022 U.S. advisory also mentions exploitation of\r\nNetwork Attached Storage (NAS) devices. The 2021 French advisory describes a specific campaign they\r\nattribute to APT31.\r\nESET reportedly observed a Linux backdoor they track as SideWalk used to compromise a Hong Kong\r\nuniversity in February 2021. ESET believes SideWalk to be exclusively used by the SparklingGoblin APT.\r\nWhile they were unable to confidently identify the initial infection vector for this operation, they\r\nhypothesized that it could have been exploitation of a router vulnerability because of significant overlaps\r\nbetween SideWalk and a botnet malware, dubbed Specter, that Netlab 360 described in September 2020.\r\nSpecter reportedly propagates by exploiting vulnerabilities in AVTECH IP camera, NVR, and DVR\r\ndevices.\r\nMandiant attributes most of the activity ESET described to APT41. We track the SideWalk malware\r\nfamily as MOPSLED and its loader as DUSTPAN. We have seen both APT41 and UNC3886 use\r\nMOPSLED. We consider MOPSLED to be an evolution of CROSSWALK, which can act as a\r\nnetwork proxy.\r\nFigure 4: Chinese cyber espionage tactics exploiting network devices (Source: NSA)\r\nhttps://www.mandiant.com/resources/blog/chinese-espionage-tactics\r\nPage 6 of 8\n\nYour Router is My Router\r\nMandiant also noted evidence of suspected Chinese cyber espionage operators deploying custom malware to relay\r\nand disguise traffic within victim networks, for example, using DNS, HTTP, and TCP/IP hijacking.\r\nMalware Description\r\nZuoRAT\r\nIn June 2023, Lumen’s Black Lotus Labs described a multi-stage remote access Trojan\r\n(RAT) dubbed \"ZuoRAT\" that it observed exploiting known vulnerabilities affecting\r\nAsus, Cisco, DrayTek, and Netgear SOHO routers throughout North America and\r\nEurope. According to the researchers, \"ZuoRAT is a MIPS file compiled for SOHO\r\nrouters that can enumerate a host and internal LAN, capture packets being transmitted\r\nover the infected device, and perform adversary-in-the-middle attacks (DNS and HTTPS\r\nhijacking based on predefined rules).\" The researchers also claim to have identified\r\ninfected routers acting as proxy C2 nodes. Mandiant has not independently verified this\r\nactivity.\r\nDELIMEAT\r\nIn early 2022, Symantec described malware dubbed Daxin that can hijack legitimate\r\nTCP/IP encrypted channels and relay its communications across infected machines\r\nwithin a targeted network. Notably, Symantec reports that the earliest sample of this\r\nmalware they identified dates from 2013. Mandiant tracks elements of Daxin as\r\nDELIMEAT.\r\nEYEWELL\r\nEYEWELL, malware we have seen TEMP.Overboard deploy primarily against\r\nTaiwanese government and technology targets, contains a passive proxy capability that\r\ncan be used to relay traffic from other systems infected with EYEWELL within a victim\r\nenvironment.\r\nNotably, Mandiant reported that a TEMP.Overboard malware identified in 2019 that\r\nshared similarities with EYEWELL also included functionality customized to disable\r\npart of the process listing and network functionality of an endpoint security product.\r\nHYPERBRO and\r\nFOCUSFJORD\r\nIn an analysis of UNC215 intrusions against Middle Eastern and Central Asian targets in\r\n2019 and 2020, Mandiant noted evidence that UNC215 made technical modifications to\r\nHYPERBRO and FOCUSFJORD to incorporate the ability to act as proxies and relay\r\ncommunications to their C2 servers, likely to minimize the risk of detection and blend in\r\nwith normal network traffic.\r\nhttps://www.mandiant.com/resources/blog/chinese-espionage-tactics\r\nPage 7 of 8\n\nLOOTALLEY\r\nIn 2019, Mandiant identified samples of the LOOTALLEY backdoor that contained a\r\nmodule potentially supporting the capability to conduct HTTP hijacking or other\r\nadversary-in-the-middle (AiTM) functionality. We observed LOOTALLEY in suspected\r\nChinese cyber espionage operations likely targeting foreign companies operating in\r\nChina and other domestic targets of interest.\r\nTable 1: Malware families used to proxy malicious traffic within compromised networks\r\nConclusion\r\nUse of botnets, proxying traffic in a compromised network, and targeting edge devices are not new tactics, nor are\r\nthey unique to Chinese cyber espionage actors. However, during the last decade, we have tracked Chinese cyber\r\nespionage actors’ use of these and other tactics as part of a broader evolution toward more purposeful, stealthy,\r\nand effective operations. We suggest that the military and intelligence restructure, evidence of shared development\r\nand logistics infrastructure, and legal and institutional structures directing vulnerability research through\r\ngovernment authorities point to long term investments in equipping Chinese cyber operators with more\r\nsophisticated tactics, tools, and exploits to achieve higher success rates in gaining and maintaining access to high\r\nvalue networks. The examples highlighted here indicate that these investments are bearing fruit.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/chinese-espionage-tactics\r\nhttps://www.mandiant.com/resources/blog/chinese-espionage-tactics\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" ], "report_names": [ "chinese-espionage-tactics" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843", "created_at": "2023-11-21T02:00:07.315543Z", "updated_at": "2026-04-10T02:00:03.461446Z", "deleted_at": null, "main_name": "UNC4841", "aliases": [ "SLIME57" ], "source_name": "MISPGALAXY:UNC4841", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8b57a00-18f4-4e49-9954-849de5e97506", "created_at": "2023-11-05T02:00:08.065073Z", "updated_at": "2026-04-10T02:00:03.395154Z", "deleted_at": null, "main_name": "SparklingGoblin", "aliases": [], "source_name": "MISPGALAXY:SparklingGoblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "274f04ff-fae8-4e90-bcf5-3e391a860cd5", "created_at": "2023-12-08T02:00:05.75114Z", "updated_at": "2026-04-10T02:00:03.493837Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "MISPGALAXY:UNC215", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "ea34919f-9093-4e34-b9de-a37ab9b4d5c4", "created_at": "2022-10-25T16:07:24.35727Z", "updated_at": "2026-04-10T02:00:04.952883Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "ETDA:UNC215", "tools": [ "AdFind", "CHINACHOPPER", "China Chopper", "FOCUSFJORD", "HighShell", "HyperBro", "HyperSSL", "HyperShell", "Mimikatz", "NBTscan", "ProcDump", "PsExec", "SEASHARPEE", "SinoChopper", "SysUpdate", "TwoFace", "WHEATSCAN", "WinRAR", "certutil", "certutil.exe", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434543, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88a4cfd8e88bd252a570ccceadd2cec23f6ef9e2.pdf", "text": "https://archive.orkl.eu/88a4cfd8e88bd252a570ccceadd2cec23f6ef9e2.txt", "img": "https://archive.orkl.eu/88a4cfd8e88bd252a570ccceadd2cec23f6ef9e2.jpg" } }