{ "id": "c8c5e8af-ee9a-4472-aac7-eb87d76155b0", "created_at": "2026-04-06T00:22:04.144098Z", "updated_at": "2026-04-10T03:37:51.377274Z", "deleted_at": null, "sha1_hash": "8b0b2deb396395b9f1b4ea12c379a581ea58c47a", "title": "Revealing Emperor Dragonfly: Night Sky and Cheerscrypt – A Single Ransomware Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 126736, "plain_text": "Revealing Emperor Dragonfly: Night Sky and Cheerscrypt – A Single\r\nRansomware Group\r\nBy Sygnia\r\nPublished: 2022-10-03 · Archived: 2026-04-05 17:33:34 UTC\r\nThe outcome of investigation by Sygnia’s incident response teams – Cheerscrypt \u0026 Night Sky are rebrands of one\r\nransomware group, named ‘Emperor Dragonfly’.\r\nKey Takeaways\r\nSygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis \r\n     revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by\r\nSygnia.\r\n‘Emperor Dragonfly’ (A.K.A. DEV-0401 / BRONZE STARLIGHT) deployed open-source tools that were written by\r\nChinese developers for Chinese users. This reinforces claims that the ‘Emperor Dragonfly’ ransomware operators are based\r\nin China.\r\nContrary to publicly available information, Cheerscrypt ransomware makes use of payloads that target both Windows and\r\nESXi environments.\r\nIntroduction\r\nSygnia recently investigated an incident involving Cheerscrypt ransomware. As the investigation progressed, it became clear\r\nthat the threat actors had successfully maintained their presence inside the compromised network for several months. During\r\nthe investigation, our incident response team made a significant discovery: the Tactics, Techniques and Procedures (TTPs)\r\nthat were used in this attack strongly resemble those used by another ransomware group – Night Sky.\r\nThe publicly-available information on Cheerscrypt is sparse and focuses on the final payload – the ransomware itself – and\r\nthe subsequent encryption of ESXi servers. However, in this incident, Windows servers were also encrypted by\r\nCheerscrypt’s ransomware encryptor.\r\nSygnia decided to investigate the threat actors behind this attack, in an attempt to attribute the group to a known actor.\r\nAlthough Night Sky was previously identified as being associated with another threat group, Cheerscrypt was unknown. The\r\nonly clue to their identity was that the threat actors behind Cheerscrypt present themselves as pro-Ukrainian, indicated by\r\nthe phrase “Слава Україні!” (“Glory to Ukraine!”) and the Ukrainian flag that can be found on their dark web leak site.\r\nFigure 1: Cheerscrypt dark web leak site with the flag of Ukraine and the Ukrainian national salute\r\nFinding the Link: Night Sky and Cheerscrypt\r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\nPage 1 of 7\n\nThe attack kill-chain which Sygnia investigated can be broken down into four phases:\r\nInitial access\r\nIn January 2022, a VMware Horizon server was compromised by threat actors leveraging the Log4Shell vulnerability (CVE-2021-4428). Shortly after, PowerShell was used to execute reconnaissance commands and communicate with a Command\r\nand Control (C\u0026C) server. The TTPs and the specific IOCs of this stage match the published information about Night Sky\r\nransomware.\r\nEstablishing foothold within the network\r\nAfter the successful compromise, PowerShell was used to download three files, which consisted of a signed legitimate\r\nexecutable, a DLL, and an encrypted file. Next, the legitimate executable was abused to side-load a weaponized DLL, which\r\nloaded and decrypted a Cobalt Strike Beacon.\r\nThis method of Cobalt Strike deployment is a known TTP of the Night Sky operators, and the Beacon was downloaded from\r\na known Night Sky C\u0026C server. However, what Sygnia discovered next was surprising: in parallel to the Beacon\r\ndeployment, three tools written in Go were also deployed. These binaries were compiled from open-source projects, created\r\nby Chinese-speaking developers, with documentation in English and Chinese. The binaries were identified as:\r\n1. A forked version of a keylogger that supports uploading the key-stroke log to Alibaba Cloud Object Storage Service\r\n(Aliyun OSS).\r\n2. A customized version of ‘IOX’ – a port-forwarding and proxy tool. Based on its documentation, IOX can work as a\r\nsimple ShadowSocks (an open-source encryption protocol used in China to circumvent internet censorship, tunneling\r\nunder the Great Firewall), a fact which demonstrates that the target audience is Chinese.\r\n3. A customized version of ‘NPS’ – a tunneling tool that was deployed alongside IOX. The combination of the tools\r\nenabled the threat actors to create multiple connections through a single tunnel.\r\nThe threat actors utilized the same compromised user account to deploy both the Cobalt Strike Beacons and the Go binaries.\r\nThis user account was also used to create a system service which functioned as the Go tools persistence mechanism.\r\nLateral movement\r\nThe threat actors used the Impacket open-source tool to move laterally and perform reconnaissance activities within the\r\nnetwork by executing code remotely. This was achieved by utilizing two of Impacket’s Python modules: ‘SMBExec.py’ and\r\n‘WMIExec.py’.\r\nSMBExec was also used to check whether some of the Cobalt Strike Beacons were still running on compromised systems.\r\nIn the weeks following the initial infiltration, additional Beacons were deployed inside the victim organization’s systems in\r\nthe same way (using staging folders and executables previously attributed to Night Sky), communicating with a new C\u0026C\r\nserver – one which was not previously attributed to Night Sky ransomware activity.\r\nData exfiltration and ransomware execution\r\nIn the final stages of the attack, the threat actors used the Rclone open-source command-line tool to exfiltrate sensitive\r\ninformation to Mega, a cloud storage service.\r\nShortly after, the threat actors delivered the final payload: Cheerscrypt ransomware. Although most publications describe\r\nCheerscrypt as a Linux-based ransomware family that targets ESXi servers, in the case Sygnia investigated, both Windows\r\nand ESXi machines were encrypted.\r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\nPage 2 of 7\n\nFigure 2: Emperor Dragonfly TTPs as observed during the investigation. The black circles are known TTPs,\r\nwhile the golden circles are newly discovered TTPs, and they encompass both Cheerscrypt and Night Sky\r\ncampaigns.\r\nEnter the Dragon: Emperor Dragonfly Ransomware Group\r\nThe fact that Night Sky IOCs were identified, but Cheerscrypt ransomware was deployed, prompted Sygnia’s Incident\r\nResponse team to delve deeper into Cheerscrypt’s origins. It became clear that Cheerscrypt, like Night Sky, is another\r\nransomware family developed by Emperor Dragonfly.\r\nEmperor Dragonfly – also known as DEV-0401, and BRONZE STARLIGHT – is a Chinese ransomware group that started\r\noperating in mid-2021. Unlike other ransomware groups, Emperor Dragonfly does not operate in an affiliate model and\r\nrefrain from purchasing initial access from other threat actors. Instead, they manage all stages of the attack lifecycle on their\r\nown. The group often rebrand their ransomware payloads, which helps them stay under the radar and avoid sanctions – as\r\nthey have the appearance of being several, smaller ransomware groups.\r\nIn the world of ransomware affiliates and leaked ransomware source code, it is difficult to connect two ransomware strains\r\nwith one threat actor. However, the following points represent the cumulative evidence which illustrates the correlations\r\nbetween Night Sky and Cheerscrypt when compared with Emperor Dragonfly:\r\n1. The observed TTPs are known characteristics of Emperor Dragonfly attacks. These TTPs include the initial access\r\nvector, lateral movement technique, and the unique Cobalt Strike Beacon deployment, using DLL side-loading and an\r\nencrypted Beacon in a separate file. Interestingly, the initial access was part of a wider exploitation of Log4Shell that\r\nwas attributed to Emperor Dragonfly, and occurred during the same time frame.\r\n2. Emperor Dragonfly routinely change their ransomware payloads. In the past year, the group used several ransomware\r\nfamilies, including LockFile, AtomSilo, Rook, Night Sky and Pandora. The encryptors of these ransomware families\r\nshare code similarities, as they were all created from the leaked source code of Babuk ransomware. Trend Micro’s\r\nanalysis of the Cheerscrypt ransomware encryptor revealed that it was also created from Babuk, indicating a possible\r\nlink between Night Sky and Cheerscrypt.\r\n3. Emperor Dragonfly is described by Microsoft as a ‘lone wolf’. Unlike other ransomware groups, they don’t work in\r\nan affiliate model (they don’t offer their ransomware in a ‘ransomware-as-a-service’ model), and they don’t purchase\r\naccess from initial access brokers. This supports the assumption that a breach started by Emperor Dragonfly (with\r\nNight Sky TTPs) will probably be completed by Emperor Dragonfly (using a Cheerscrypt ransomware payload), and\r\nit is unlikely that this group sold or transferred this access to another group.\r\n4. Emperor Dragonfly is a China-based ransomware operator, making it a rarity in today’s threat landscape. During\r\nSygnia’s investigation, we discovered that in parallel to the Cobalt Strike Beacon deployment, three Go binaries were\r\nalso deployed (see above). These Go tools are not commonly used by ransomware operators, and their GitHub\r\npopularity rank is relatively low. Emperor Dragonfly used the tools throughout the entire compromise: they were\r\ndeployed during early stages and were still running as a persistence mechanism after the ransomware deployment.\r\nThis is another indication that a single threat actor conducted the entire operation.\r\nThe Hunt for Emperor Dragonfly\r\nThe following hunting ideas will help you search the organizational network for traces of Emperor Dragonfly.\r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\nPage 3 of 7\n\nSearch for binaries, scripts, and executions from suspicious folders. In the case of Emperor Dragonfly’s attack,\r\nthe same folders were repeatedly used for staging tools throughout the operation. ‘.EXE’, ‘.DLL’, ‘.INI’, ‘.DAT’ and\r\nmore files were dropped and executed from ‘C:\\Windows\\Help\\*’, ‘C:\\Windows\\Debug\\*’ and ‘C:\\Users\\Public\\*’\r\nfolders.\r\nSearch for evidence of SMBExec executions. For instance, a service called ‘BTOBTO’ was created on\r\ncompromised machines with indicative command lines. The ‘BTOBTO’ service name is the default service name that\r\nis being used in SMBExec code, for remote code execution. The image command line had a specific format:\r\n‘%COMSPEC%’ /Q /c \u003cCOMMAND_TO_EXECUTE\u003e ^\u003e \\\\127.0.0.1\\C$\\__output 2^\u003e^\u00261 \u003e\r\n%TEMP%\\execute.bat \u0026 %COMSPEC% /Q /c %TEMP%\\execute.bat \u0026 del %TEMP%\\execute.bat’.\r\nSearch for evidence of WMIExec executions. Files under ‘ADMIN$’ with the epoch timestamp of the tool’s\r\nexecution are created on the target machine on which the command was executed. In addition, ‘cmd.exe’ is spawned\r\nfrom the WMI provider process (‘WmiPrvSE.exe’). The cmd.exe command line appears to be in a specific format,\r\ncontaining the string ‘\\\\127.0.0.1\\ADMIN$\\’ as the destination folder for the execution output file.\r\nMonitor users’ authentications, and activity from unusual sources. Throughout their operation, the threat actors\r\nleveraged compromised user accounts to perform lateral movement between servers. This kind of activity might be\r\nflagged as suspicious, as users generally perform authentication from endpoints, and not from servers.\r\nDefending against Emperor Dragonfly\r\nThe following measures will help you defend against Emperor Dragonfly TTPs (as well as similar threats):\r\nIdentify and patch critical vulnerabilities. If you are running VMware Horizon, follow VMware advisory to ensure\r\nthe currently installed version is patched against the Log4Shell vulnerability, which was exploited as the initial\r\ninfiltration vector. More generally, it is essential to conduct frequent vulnerability scans and swiftly mitigate\r\ndiscovered issues, with a special focus on internet-facing systems. External Attack Surface Management (EASM)\r\ntools, or even more traditional vulnerability or port scanners, can be leveraged to identify publicly exposed\r\nvulnerable interfaces.\r\nLimit outbound internet access from servers. Denying egress traffic by default would’ve blocked the ability to\r\ncommunicate with the threat actor’s C\u0026C server, as well as with the cloud storage services (Alibaba, Mega), thus\r\nmitigating persistence and data exfiltration activities. Allow outbound connectivity to only specific destinations\r\n(FQDN or IP addresses), on a strict need-to-have basis.\r\nProtect the virtualization platform. Ransomware attacks targeting virtualization platforms is a growing trend, due\r\nto their simplicity and efficiency from the perspective of threat actors. Among the most prominent security controls\r\nfor VMware against this threat are allowing traffic towards vCenter and ESXi hosts only from protected bastion\r\nhosts, enabling strict lockdown mode, and restricting unsigned scripts by enabling the ‘execInstalledOnly’ flag. In\r\naddition, ensure virtual machines are securely backed-up; for example, if VM backups are made using snapshots\r\nwhich are stored on the same folder as the machine, threat actors may encrypt backups as well.\r\nLimit lateral movement through the network. Threat actors often leverage common management ports to move\r\nlaterally between hosts, and Emperor Dragonfly is no different, with the use of SMBExec and WMIExec. Restricting\r\ntraffic over such ports (namely SMB 445, RPC 135, WinRM 5985-5986, RDP 3389, SSH 22), and allowing traffic\r\nonly from designated specific hosts, may be cumbersome in complex networks, but brings immense value. This may\r\nbe achieved by host-based firewalls, proper network segmentation, or modern microsegmention technologies.\r\nProtect privileged accounts. Minimize the risk of privilege escalation by hardening the Active Directory\r\nenvironment, applying the principle of least privilege and AD administrative tier model, employing robust credential\r\nand password hygiene practices, and considering the implementation of Privileged Identity and Access solutions.\r\nWhile these security measures are by no means unique to Emperor Dragonfly TTPs, compromising privileged\r\naccounts and using them to move laterally and execute the ransomware is a practice noticed in the described\r\nincidents as well.\r\nAppendix I: Indicators of Compromise\r\n Cobalt Strike Beacons \r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\nPage 4 of 7\n\nMD5  Description  File Name \r\n 37011eed9de6a90f3be3e1cbba6c5ab2\r\nEncrypted\r\nCobalt\r\nStrike\r\npayload\r\nC:\\Windows\\Help\\OEM\\ContentStore\\vlcplayer.dat\r\n 240118f6205effcb3a12455a81cfb1c7\r\nWeaponized\r\nDLL loaded\r\nby\r\nFCAuth.exe\r\nC:\\Windows\\Help\\Corporate\\utilsdll.dll\r\n e5fd4d5774ad97e5c04b69deae33dc9e\r\nWeaponized\r\nDLL loaded\r\nby\r\nmfeann.exe\r\nC:\\Windows\\debug\\LockDown.dll\r\n 2893d476408e23b7e8a65c6898fe43fa\r\nEncrypted\r\nCobalt\r\nStrike\r\npayload\r\nC:\\Windows\\Help\\Corporate\\auth.dat\r\n 8161d8339411ddd6d99d54d3aefa2943\r\nEncrypted\r\nCobalt\r\nStrike\r\npayload\r\nC:\\Windows\\debug\\debug.dat\r\n 5a852305ffb7b5abeb39fcb9a37122ff\r\nWeaponized\r\nDLL loaded\r\nby vlc.exe\r\nC:\\Windows\\Help\\Corporate\\libvlc.dll\r\n f0656e3a70ab0a10f8d054149f12c935\r\nEncrypted\r\nCobalt\r\nStrike\r\npayload\r\nC:\\Windows\\Help\\Corporate\\auth.dat\r\n 37011eed9de6a90f3be3e1cbba6c5ab2\r\nEncrypted\r\nCobalt\r\nStrike\r\npayload\r\nC:\\Windows\\Help\\Corporate\\vlcplayer.dat\r\n Go Tools\r\n MD5  Description   File Name  \r\n 5695de561a065123178067fcedf39ce3\r\nNPC client\r\nfor NPS\r\ntunnel tool\r\nC:\\Windows\\Help\\mui\\0409\\WindowsUpdate.exe\r\n ea4ca87315d14f5142aaef1f5e287417 Keylogger C:\\Windows\\Help\\OEM\\ContentStore.exe\r\n 5a6008cf994779cde1698a0e80bb817d\r\nIOX port\r\nforwarder\r\nand proxy\r\nC:\\Windows\\Help\\Windows\\dec.exe\r\n Additional Artifacts\r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\nPage 5 of 7\n\nArtifact  Description  \r\n GrPpQGgI4se5fTIRkxBj/nfbcPvfJWpyY5EtRD0hf/CW9u6cXM4f4VKyyzaHJG/OLcdjB95YaMDP6Y1d-Mg\r\nGo Build ID of N\r\nclient-side binar\r\n(WindowsUpdat\r\nGriAm-TYSQig04-nXbTE/9gsYQSitnL9GPHKgpNUX/\r\nQA-vmpyo7vFHuU7RQ\\ Y/ _NwncoU6QsMYGeukgxTd\r\nGo Build ID of t\r\nkeylogger\r\n(ContentStore.ex\r\n System Service Update\r\nService name;\r\npersistency\r\nmechanism for N\r\nclient-side binar\r\n C85A6814B99C8302AF484563D47D9658\r\nMD5 hash of\r\nSharpShares, an\r\nsource tool to\r\nenumerate share\r\n07d14d16d21d21d00042d41d00041d47e4e0ae17960b2a5b4fd6107fbb0926\r\nJARM hash of th\r\nCobalt Strike C\u0026\r\nservers\r\n Network Indicators\r\n IP Address  Description   URL\r\n 207[.]148[.]122[.]171 C\u0026C server api[.]rogerscorp[.]org\r\n 139[.]180[.]217[.]203\r\nC\u0026C server (Cobalt Strike Beacon was downloaded\r\nfrom this IP)\r\n \r\n 178[.]128[.]102[.]13 Cobalt Strike C\u0026C server  \r\n 139[.]59[.]243[.]219 Cobalt Strike C\u0026C server  \r\n 128[.]199[.]151[.]146 NPS server  \r\n Legitimate Executables\r\nMD5  Description   File Name  \r\nf9322ead69300501356b13d751165daa\r\nSigned McAfee\r\nfile used to side-load\r\nLockDown.dll\r\n c:\\Windows\\debug\\mfeann.exe\r\n51be3e3a8101bc4298b43a64540c422b\r\nSigned\r\nFortiClient file\r\nused to side-load\r\nutilsdll.dll\r\nC:\\Windows\\Help\\Corporate\\FCAuth.exe  \r\ne2904f5301b35b2722faf578d1f7a4d4\r\nSigned VLC file\r\nused to side-load\r\nlibvlc.dll\r\nC:\\Windows\\Help\\Corporate\\vlc.exe\r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\nPage 6 of 7\n\nAppendix II: MITRE ATT\u0026CK TTPs\r\n1. Initial Access\r\n1. T1190: Exploit Public-Facing Application\r\n2. Execution\r\n1. T1059.001: Command and Scripting Interpreter: PowerShell\r\n2. T1059.003: Command and Scripting Interpreter: Windows Command Shell\r\n3. T1047: Windows Management Instrumentation\r\n4. T1569.002: System Services: Service Execution\r\n3. Persistence\r\n1. T1543.003: Create or Modify System Process: Windows Service\r\n4. Defense Evasion\r\n1. T1027.002: Obfuscated Files or Information: Software Packing\r\n2. T1574.002: Hijack Execution Flow: DLL Side-Loading\r\n3. T1070.004: Indicator Removal on Host: File Deletion\r\n5. Discovery\r\n1. T1135: Network Share Discovery\r\n2. T1087.002: Account Discovery: Domain Account\r\n3. T1082: System Information Discovery\r\n4. T1016: System Network Configuration Discovery\r\n6. Lateral Movement\r\n1. T1570: Lateral Tool Transfer\r\n2. T1021.001: Remote Services: Remote Desktop Protocol\r\n7. Collection\r\n1. T1039: Data from Network Shared Drive\r\n2. T1056.001: Input Capture: Keylogging\r\n8. Command \u0026 Control\r\n1. T1090: Proxy\r\n2. T1095: Non-Application Layer Protocol\r\n3. T1572: Protocol Tunneling\r\n4. T1071.001: Application Layer Protocol: Web Protocols\r\n5. T1132.001: Data Encoding: Standard Encoding\r\n6. T1573: Encrypted Channel\r\n9. Exfiltration\r\n1. T1048: Exfiltration Over Alternative Protocol\r\n2. T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\n10. Impact\r\n1. T1486: Data Encrypted for Impact\r\nThis advisory and any information or recommendation contained herein has been prepared for general informational\r\npurposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to\r\nany entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources\r\nand to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is\r\nnot responsible for any errors or omissions, or for the results obtained from the use of this Advisory. This Advisory is\r\nprovided on an as-is basis, and without warranties of any kind.\r\nSource: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\nPage 7 of 7\n\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group \nMD5 Description File Name\n Encrypted \n Cobalt \n37011eed9de6a90f3be3e1cbba6c5ab2 C:\\Windows\\Help\\OEM\\ContentStore\\vlcplayer.dat\n Strike \n payload \n Weaponized \n DLL loaded \n240118f6205effcb3a12455a81cfb1c7 C:\\Windows\\Help\\Corporate\\utilsdll.dll\n by \n FCAuth.exe \n Weaponized \n DLL loaded \ne5fd4d5774ad97e5c04b69deae33dc9e C:\\Windows\\debug\\LockDown.dll\n by \n mfeann.exe \n Encrypted \n Cobalt \n2893d476408e23b7e8a65c6898fe43fa C:\\Windows\\Help\\Corporate\\auth.dat\n Strike \n payload \n Encrypted \n Cobalt \n8161d8339411ddd6d99d54d3aefa2943 C:\\Windows\\debug\\debug.dat\n Strike \n payload \n Weaponized \n5a852305ffb7b5abeb39fcb9a37122ff DLL loaded C:\\Windows\\Help\\Corporate\\libvlc.dll\n by vlc.exe \n Encrypted \n Cobalt \nf0656e3a70ab0a10f8d054149f12c935 C:\\Windows\\Help\\Corporate\\auth.dat\n Strike \n payload \n Encrypted \n Cobalt \n37011eed9de6a90f3be3e1cbba6c5ab2 C:\\Windows\\Help\\Corporate\\vlcplayer.dat\n Strike \n payload \nGo Tools \nMD5 Description File Name\n NPC client \n5695de561a065123178067fcedf39ce3 for NPS C:\\Windows\\Help\\mui\\0409\\WindowsUpdate.exe\n tunnel tool \nea4ca87315d14f5142aaef1f5e287417 Keylogger C:\\Windows\\Help\\OEM\\ContentStore.exe\n IOX port \n5a6008cf994779cde1698a0e80bb817d forwarder C:\\Windows\\Help\\Windows\\dec.exe\n and proxy \nAdditional Artifacts \n Page 5 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" ], "report_names": [ "revealing-emperor-dragonfly-a-chinese-ransomware-group" ], "threat_actors": [ { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434924, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b0b2deb396395b9f1b4ea12c379a581ea58c47a.pdf", "text": "https://archive.orkl.eu/8b0b2deb396395b9f1b4ea12c379a581ea58c47a.txt", "img": "https://archive.orkl.eu/8b0b2deb396395b9f1b4ea12c379a581ea58c47a.jpg" } }