{ "id": "e0c864ea-aaaa-41bd-bbba-b5b8b998328f", "created_at": "2026-04-06T00:19:03.488957Z", "updated_at": "2026-04-10T13:12:57.659972Z", "deleted_at": null, "sha1_hash": "88e0565af1f34c1cb6ba131fd3a13e19111082ef", "title": "APT trends report Q2 2021", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74135, "plain_text": "APT trends report Q2 2021\r\nBy GReAT\r\nPublished: 2021-07-29 · Archived: 2026-04-05 14:26:26 UTC\r\nFor more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing\r\nquarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat\r\nintelligence research and provide a representative snapshot of what we have published and discussed in greater\r\ndetail in our private APT reports. They are designed to highlight the significant events and findings that we feel\r\npeople should be aware of.\r\nThis is our latest installment, focusing on activities that we observed during Q2 2021.\r\nReaders who would like to learn more about our intelligence reports or request more information on a specific\r\nreport are encouraged to contact intelreports@kaspersky.com.\r\nInvestigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker\r\ndeploying a previously unknown backdoor, “FourteenHi”, in a campaign that we dubbed ExCone, active since\r\nmid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with\r\ninfrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw\r\nShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between\r\nthese two malware families.\r\nFourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor\r\nfunctions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon.\r\nAlthough we couldn’t directly attribute this activity to any known threat actor, we found older, highly similar 64-\r\nbit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 1 of 10\n\ninvolving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample\r\nreportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike,\r\nDLL side-loading and exploiting the same Exchange vulnerabilities.\r\nRussian-speaking activity\r\nOn May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe\r\nand North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and\r\nAPT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting\r\nfor this cluster of activity, we haven’t been able to make a definitive assessment at this time about which threat\r\nactor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it\r\n“HotCousin”. The attacks began with a spear-phishing email which led to an ISO file container being stored on\r\ndisk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an\r\nExplorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as\r\nBoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into\r\nmemory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities\r\nthroughout Europe and North America: based on the content of the lure documents bundled with the malware, this\r\nassessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with\r\nselective targeting and slow operational pace, then ramping up and ending in May. There are indications of\r\nprevious activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads\r\nand loaders bearing similar toolmarks.\r\nChinese-speaking activity\r\nWhile investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that\r\nappeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown\r\nWindows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote\r\ncontrol over the attacked servers. The former is used to hide the user mode malware’s artefacts from investigators\r\nand security solutions, while demonstrating an interesting loading scheme involving the kernel mode component\r\nof an open source project named “Cheat Engine” to bypass the Windows Driver Signature Enforcement\r\nmechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the\r\nthreat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms\r\ncompanies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no\r\naffinity to a known threat actor, we decided to name the underlying cluster “GhostEmperor”.\r\nAPT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational\r\nRelay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe\r\n(and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt\r\nStrike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other\r\nimplants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by\r\nAPT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes\r\nin small enterprise routers and network devices. So far, we don’t know which specific vulnerability has been\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 2 of 10\n\nexploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would\r\nprovide further visibility into this campaign. We will, of course, continue to track these activities.\r\nFollowing our previous report on EdwardsPheasant, DomainTools and BitDefender published articles about\r\nmalicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts\r\nof EdwardsPheasant campaigns. While tracking the activities of this threat actor, analyzing samples discovered or\r\nprovided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an\r\nadditional implant loaded by FoundCore’s shellcode, several possible new infection documents and malicious\r\ndomain names, as well as additional targets. While we do not believe we have a complete picture of this set of\r\nactivities yet, our report this quarter marks a significant step further in understanding its extent.\r\nA Chinese-speaking APT compromised a certificate authority in Mongolia and replaced digital certificate\r\nmanagement client software with a malicious downloader in February. We are tracking this group as BountyGlad.\r\nRelated infrastructure was identified and used in multiple other incidents: interesting related activity included\r\nserver-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash\r\nPlayer installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack.\r\nWhile replacing a legitimate installer on a high value website like a certificate authority requires a medium level\r\nof skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group\r\ndeploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated\r\nwith code that has been publicly available for years. Previous activity also connected with this group relied\r\nheavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and\r\nloader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the\r\ngroup appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and\r\nC2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple\r\nChinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were\r\nfocused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020,\r\ntargeting US organizations conducting COVID-19 research, was also used by BountyGlad.\r\nWhile investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected\r\nloaders which are part of a new multi-plugin malware framework that we named “QSC”, which allows attackers to\r\nload and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on\r\nsome overlaps in victimology and infrastructure with other known tools used by these groups. We have so far\r\nobserved the malware loading a Command shell and File Manager plugins in-memory. We believe the framework\r\nhas been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found.\r\nHowever, our telemetry suggests that the framework is still in use: the latest activity we detected was in March\r\nthis year.\r\nEarlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks\r\nagainst networks of government entities in Russia. The report described a formerly unknown actor leveraging an\r\ninfection chain that leads to the deployment of two implants – WebDav-O and Mail-O. Those, in conjunction with\r\nother post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in\r\nexfiltration of sensitive data. We were able to trace the WebDav-O implant’s activity in our telemetry to at least\r\n2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 3 of 10\n\nadditional variants of the malware and observe some of the commands executed by the attackers on the\r\ncompromised machines.\r\nWe discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity\r\ntook place from May to October 2020. This activity made use of several malware families and tools; but the\r\ninfrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a\r\npreviously unknown passive backdoor, that we call “TPCon”, as a primary implant. It was later used to perform\r\nboth reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of\r\npublicly available tools. We also found other previously unknown active backdoors, that we call “evsroin”, used as\r\nsecondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a\r\nKABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we\r\nattributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple\r\nmalware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not\r\nseem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be\r\ncompletely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were\r\ndetected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported\r\nIceFog and IamTheKing activities.\r\nMiddle East\r\nBlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli\r\ninsurance company, and demanding a ransom in exchange for not releasing the information in its possession.\r\nSince then, the group has made more headlines, breaching another company in Israel and publishing a trove of\r\ndocuments containing customer related information on Telegram. Following this, we found several samples of the\r\ngroup’s unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently\r\ndetected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were\r\nable to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group’s\r\nactivity.\r\nWe previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat\r\nactor’s malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding\r\nVBScript variant with the same version and a completely new set of modules, including an orchestrator and three\r\nplugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on\r\none of the fields in the C2 communication protocol which contains the “client” programming language. Another\r\nlanguage used by WildPressure is Python. The PyInstaller module for Windows contains a script named “Guard”.\r\nPerhaps the most interesting finding here is that this malware was developed for both Windows and macOS\r\noperating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2\r\ncommunication protocol is quite recognisable across all programming languages used by the attackers. The\r\nmalware used by WildPressure is still under active development in terms of versions and programming languages\r\nin use. Although we could not associate WildPressure’s activity with other threat actors, we did find minor\r\nsimilarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the\r\nsame region. However, we consider that these similarities serve as minor ties and are not enough to make any\r\nattribution.\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 4 of 10\n\nWe discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting\r\nmultiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in\r\n2019, which we suspect has relations with the Gaza Cybergang threat actor group.  During our hunting efforts, in\r\nFebruary, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use\r\nhidden spreadsheets and VBA macros to drop their first stage implant – a VBS script. The VBS script’s main\r\nfunction is to collect system information and execute arbitrary code sent by the attackers. Although we recently\r\nreported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these\r\nintrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the\r\nMiddle East and a few other countries outside this region. Despite various industries being affected, the focus was\r\nmainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms.\r\nGoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been\r\nactive since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to\r\ncontrol victim machines and exfiltrate certain files from them, suggesting that the actor’s primary motivation is\r\nespionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities\r\nin the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a\r\ncapable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the\r\nunderlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous\r\nfootprint.\r\nSoutheast Asia and Korean Peninsula\r\nThe ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats\r\nand individuals associated with North Korean affairs. Following our last report about this group, we had not seen\r\nits activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news\r\nmedia website in January, beginning a campaign that was active until March. The attackers utilized the same\r\nexploit chains, CVE-2020-1380 and CVE-2020-0986, also used in Operation Powerfall. Based on the exploit code\r\nand infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft\r\ngroup. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable\r\npayload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole\r\nattack, this group also used Windows executable malware concealing its payload. This malware, dubbed\r\n“ATTACK-SYSTEM”, also used multi-stage shellcode infection to deliver the same final payload named\r\n“BlueLight”. BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took\r\nadvantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex.\r\nIn May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack\r\ntargeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using\r\na fake presidential palace email account, delivering malware we dubbed “Palwan”. Palwan is malware capable of\r\nperforming basic backdoor functionality as well as downloading further modules with additional capabilities.\r\nAnalysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two\r\nmore waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware\r\nvariants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan.\r\nInvestigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 5 of 10\n\nactivity. However, we don’t deem this overlap sufficient to attribute this activity to the Dropping Elephant threat\r\nactor.\r\nBlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for\r\nyears. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our\r\nresearch of BlueNoroff’s “SnatchCrypto” campaign in 2020, the group’s strategy to deliver malware has evolved.\r\nIn this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template\r\ninjection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the\r\nnext payload from the initial Word document and injecting it into a legitimate process. The injected payload\r\ncreates a persistent backdoor on the victim’s machine. We observed several types of backdoor. For further\r\nsurveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up\r\nfake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and\r\ninitiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure\r\nagreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the\r\nBlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector.\r\nWindows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have\r\nnow been replaced by weaponized Word documents.\r\nWe have discovered Andariel activity using a revised infection scheme and custom ransomware targeting a broad\r\nspectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean\r\nfile name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload.\r\nDuring the course of our research, Malwarebytes published a report with technical details about the same series of\r\nattacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion – that the\r\nAndariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and\r\nprevious malware from the Andariel group allowed for this attribution. Apart from the code similarity and the\r\nvictimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit\r\nwhen they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands\r\nand their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has\r\nbeen spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and\r\nfiles mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one\r\nvictim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which\r\nalso sought financial profit in a previous operation involving the compromise of ATMs.\r\nWe recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we\r\ndubbed LuminousMoth. Further analysis revealed that this malicious activity dates back to October 2020 and was\r\nstill ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download\r\nand execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to\r\nspread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a\r\nsigned, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate\r\nfiles; and an additional tool that accesses a victim’s Gmail session by stealing cookies from the Chrome browser.\r\nInfrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the\r\nHoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early\r\nsightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 6 of 10\n\nPhilippines, where the number of known attacks has grown more than tenfold. This raises the question of whether\r\nthis is caused by a rapid replication through removable devices or by an unknown infection vector, such as a\r\nwatering-hole focusing on the Philippines.\r\nWe recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants.\r\nThese implants turned out to be multiple applications working as information stealers to collect sensitive\r\ninformation from victims’ devices, such as contact lists, SMS messages, call recordings, media and other types of\r\ndata. Following up, we discovered additional malicious Android applications, some of them purporting to be\r\nknown messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase\r\nmessaging service as a channel to receive commands. The operator is able to control if either Dropbox or another,\r\nhard coded server is used to exfiltrate stolen files.\r\nOther interesting discoveries\r\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat\r\nIntelligence Center and used by the Bitter APT group, we discovered another possible zero-day exploit used in the\r\nAsia-Pacific (APAC) region. Interestingly, the exploit was found in the wild as part of a separate framework,\r\nalongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this\r\nframework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed\r\nthat this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020.\r\nUpon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed\r\ndealing with a new zero-day, it received the designation CVE-2021-28310.\r\nVarious marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and\r\nCVE-2021-28310 were created by the same exploit developer that we track as “Moses”. “Moses” appears to be an\r\nexploit developer who makes exploits available to several threat actors, based on other past exploits and the actors\r\nobserved using them. To date, we have confirmed that at least two known threat actors have utilized exploits\r\noriginally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as\r\nprivately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the\r\nlast two years have originated from “Moses”. While the EoP exploit was discovered in the wild, we are currently\r\nunable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was\r\nprobably chained together with other browser exploits to escape sandboxes and obtain system level privileges for\r\nfurther access. Unfortunately, we weren’t able to capture a full exploit chain, so we don’t know if the exploit is\r\nused with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\r\nIn another, more recent investigation into the surge of attacks by APT actors against Exchange servers following\r\nthe revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It\r\nattracted our attention because the actor behind it seemed to have been active in compromising Exchange servers\r\nsince at least December 2020, all the while using a toolset that we were not able to associate with any known\r\nthreat group. During March, several waves of attacks on Exchange servers were made public, partially describing\r\nthe same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that\r\nthe actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with\r\nour observations of the early activity of it last year. That said, none of the public accounts described sightings of\r\nthe full infection chain and later stages of malware deployed as part of this group’s operation. Adopting the name\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 7 of 10\n\nWebsiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor.\r\nNamely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary\r\n.NET backdoor used by the group, which we dubbed “Samurai”, as well as describing a broader set of targets than\r\nthe one documented thus far.\r\nOn 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed\r\nto users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and\r\naims to gather information on the user’s execution environments, collect code coverage reports, and send them to\r\nthe Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The\r\nBash uploader script is typically executed as a trusted resource in development and testing environments\r\n(including as part of automated build processes, such as continuous integration or development pipelines); and its\r\ncompromise could enable malicious access to infrastructure or account secrets, as well as code repositories and\r\nsource code. While we haven’t been able to confirm the malicious script deployment, retrieve any information on\r\nthe compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a\r\ncompromised Bash uploader script, as well as identify some possibly associated additional malicious servers.\r\nAn e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had\r\ngained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade.\r\nPasswordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a\r\nmalicious DLL was included in the software updates. On 24 April, an incident management advisory was also\r\nreleased. The purpose of the campaign was to steal passwords stored in the password manager. Although this\r\nattack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial\r\nfindings. Nevertheless, it’s still unclear how the attackers gained access to the Passwordstate software to begin\r\nwith. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the\r\nmalicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a\r\nphishing campaign, most likely by the same actor.\r\nA few days after April’s Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our\r\nattention. These files were binaries, disguised as “April 2021 Security Update Installers”. They were signed with a\r\nvalid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a\r\nstolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2,\r\n“code.microsoft.com”. Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this\r\nactivity, we can confirm that there was no compromise of Microsoft’s infrastructure. In fact, an unauthorized party\r\ntook over the dangling subdomain “code.microsoft.com” and configured it to resolve to their Cobalt Strike host,\r\nsetup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific\r\nand unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very\r\nlimited and didn’t affect unsuspecting visitors to this website because of the required unique user agent.\r\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies.\r\nCloser analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the\r\nChrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape\r\nthe sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most\r\nprominent builds of Windows 10 (17763 – RS5, 18362 – 19H1, 18363 – 19H2, 19041 – 20H1, 19042 – 20H2) and\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 8 of 10\n\nit exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these\r\nvulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and\r\nCVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch\r\nTuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a\r\nsystem service and loads the payload, a “remote shell”-style backdoor which in turns connects to the C2 to get\r\ncommands. So far, we haven’t been able to find any connections or overlaps with a known actor. Therefore, we\r\nare tentatively calling this cluster of activity PuzzleMaker.\r\nOn April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in\r\nthe community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that\r\nAPT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For\r\nthis reason, initial thoughts were that the two were related; and these were just rumors circulating the community\r\nabout old activity that was being brought to light again. Following this, we were able to at least confirm that the\r\ninitial rumors were part of a separate set of activities that had occurred between January and March and were not\r\ndirectly related to the advisory mentioned above. This new activity involved the exploitation of at least two\r\nvulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became\r\naware of affected organizations that were notified by a third party that they were potentially compromised by this\r\nactivity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On\r\nMay 3, Pulse Secure delivered “out-of-cycle” update and workaround packages to provide a solution for the\r\nmultiple vulnerabilities.\r\nCooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals\r\nin Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious\r\nexecutables that collect information about the infected system and attempt to download a second-stage payload.\r\nThe actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear\r\nto be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection\r\nvectors and provided our analysis of the malicious artifacts we came across during this investigation, even though\r\nwe were unable to obtain the later stages of the infection chain.\r\nFinal thoughts\r\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a\r\nmeans of gaining a foothold in a target organisation or compromising an individual’s device, others refresh their\r\ntoolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key\r\ndevelopments of APT groups.\r\nHere are the main trends that we’ve seen in Q2 2021:\r\nWe have reported several supply-chain attacks in recent months.. While some were major and have\r\nattracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad,\r\nCoughingDown and the attack targeting Codecov.\r\nAPT groups mainly use social engineering to gain an initial foothold in a target network. However, we’ve\r\nseen a rise in APT threat actors leveraging exploits to gain that initial foothold – including the zero-days\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 9 of 10\n\ndeveloped by the exploit developer we call “Moses” and those used in the PuzzleMaker, Pulse Secure\r\nattacks and the Exchange server vulnerabilities.\r\nAPT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new\r\nplatforms but also the use of additional languages as seen by WildPressure’s macOS-supported Python\r\nmalware.\r\nAs illustrated by the campaigns of various threat actors – including BountyGlad, HotCousin, GoldenJackal,\r\nScarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants – geo-politics\r\ncontinues to drive APT developments.\r\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it\r\nshould be borne in mind that, while we strive to continually improve, there is always the possibility that other\r\nsophisticated attacks may fly under our radar.\r\nSource: https://securelist.com/apt-trends-report-q2-2021/103517\r\nhttps://securelist.com/apt-trends-report-q2-2021/103517\r\nPage 10 of 10\n\nStrike communications implants and ends and for anonymization as well (for example, proxying exploit or purposes. malware staging). It is likely that Most of the APT31 uses infrastructure them for other put in place by\nAPT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes\nin small enterprise routers and network devices. So far, we don’t know which specific vulnerability has been\n Page 2 of 10 \n\nChrome web-browser, the sandbox we were and obtain system able to find and privileges. The analyze an Escalation EoP exploit was of Privilege fine-tuned to (EoP) work against exploit used the latest to escape and the most\nprominent builds of Windows 10 (17763-RS5, 18362-19H1, 18363-19H2, 19041- 20H1, 19042 -20H2) and\n Page 8 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/apt-trends-report-q2-2021/103517" ], "report_names": [ "103517" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "3262c97f-3311-49f5-807c-bcea4d8c9924", "created_at": "2022-10-25T16:07:23.717772Z", "updated_at": "2026-04-10T02:00:04.725048Z", "deleted_at": null, "main_name": "IAmTheKing", "aliases": [], "source_name": "ETDA:IAmTheKing", "tools": [ "JackOfHearts", "KingOfHearts", "LaZagne", "Mimikatz", "ProcDump", "PsExec", "QueenOfClubs", "QueenOfHearts", "SLOTHFULMEDIA", "SlothfulMedia" ], "source_id": "ETDA", "reports": null }, { "id": "7c00086d-9535-4552-8201-1dd725e41b12", "created_at": "2023-04-26T02:03:03.128736Z", "updated_at": "2026-04-10T02:00:05.239152Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [ "LuminousMoth" ], "source_name": "MITRE:LuminousMoth", "tools": [ "PlugX", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a8356cf9-e9d6-4585-8ccf-d30d3efe142b", "created_at": "2023-06-23T02:04:34.262059Z", "updated_at": "2026-04-10T02:00:04.711064Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "ETDA:GoldenJackal", "tools": [ "JackalControl", "JackalPerInfo", "JackalScreenWatcher", "JackalSteal", "JackalWorm" ], "source_id": "ETDA", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "adee5dfb-98d1-488f-969d-48eed28cd7e4", "created_at": "2023-01-06T13:46:38.799427Z", "updated_at": "2026-04-10T02:00:03.105089Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [ "IAmTheKing" ], "source_name": "MISPGALAXY:PowerPool", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "c3ef437d-e8fa-4250-9a99-89a403035ad2", "created_at": "2022-10-25T16:07:24.406019Z", "updated_at": "2026-04-10T02:00:04.977275Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [ "WilePressure" ], "source_name": "ETDA:WildPressure", "tools": [ "Milum" ], "source_id": "ETDA", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b14cd6df-3108-4839-8a2d-52eb2f8ce9c8", "created_at": "2022-10-25T15:50:23.798666Z", "updated_at": "2026-04-10T02:00:05.255838Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "WIRTE" ], "source_name": "MITRE:WIRTE", "tools": [ "LitePower", "Ferocious" ], "source_id": "MITRE", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bacb81f4-18d1-4dcd-b277-65a9dac41b61", "created_at": "2023-11-04T02:00:07.680044Z", "updated_at": "2026-04-10T02:00:03.390891Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "MISPGALAXY:GoldenJackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7800d05d-e713-4a4f-9b4f-0b960fb82c9d", "created_at": "2023-11-14T02:00:07.079123Z", "updated_at": "2026-04-10T02:00:03.444083Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "Ashen Lepus" ], "source_name": "MISPGALAXY:WIRTE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "115ee14e-a122-47a4-bef7-5d3668cda109", "created_at": "2025-01-10T02:00:03.15179Z", "updated_at": "2026-04-10T02:00:03.800179Z", "deleted_at": null, "main_name": "CoughingDown", "aliases": [], "source_name": "MISPGALAXY:CoughingDown", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "92049df8-7902-48e8-ad17-97398b923698", "created_at": "2022-10-25T16:07:23.81315Z", "updated_at": "2026-04-10T02:00:04.757082Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [], "source_name": "ETDA:LuminousMoth", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c652e4b-2f17-4e18-bd05-af12c27e76fb", "created_at": "2023-11-30T02:00:07.302263Z", "updated_at": "2026-04-10T02:00:03.485667Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [], "source_name": "MISPGALAXY:WildPressure", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434743, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88e0565af1f34c1cb6ba131fd3a13e19111082ef.pdf", "text": "https://archive.orkl.eu/88e0565af1f34c1cb6ba131fd3a13e19111082ef.txt", "img": "https://archive.orkl.eu/88e0565af1f34c1cb6ba131fd3a13e19111082ef.jpg" } }