{ "id": "e28bbb58-c909-4782-a436-ee7d315731ee", "created_at": "2026-04-06T00:17:32.485758Z", "updated_at": "2026-04-10T03:36:06.871152Z", "deleted_at": null, "sha1_hash": "8cea119b0444f3278dd356de8fe50ef3df1a7a65", "title": "Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 291967, "plain_text": "Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting\r\nBy By: Daniel Lunghi Mar 01, 2023 Read time: 11 min (3063 words)\r\nPublished: 2023-03-01 · Archived: 2026-04-05 19:03:05 UTC\r\nIron Tiger is an advanced persistent threat (APT) group that has been focused primarily on cyberespionage for\r\nmore than a decade. In 2022, we noticed that they updated SysUpdate, one of their custom malware families, to\r\ninclude new features and add malware infection support for the Linux platform. \r\nWe found the oldest sample of this updated version in July 2022. At the time, we attributed the sample to Iron\r\nTiger but had not yet identified the final payload. It was only after finding multiple similar payloads in late\r\nOctober 2022 that we looked further and found similarities with the SysUpdate malware family that had also been\r\nupdated in 2021. As with the previous version, Iron Tiger had made the loading logic complex, probably in an\r\nattempt to evade security solutions.\r\nThis new version has similar features to the 2021 version, except that the C++ run-time type information (RTTI)\r\nclasses we previously observed in 2021 had been removed, and that the code structure was changed to use the\r\nASIO C++ asynchronous library. Both changes make reverse engineering the samples longer. We strongly advise\r\norganizations and users in the targeted industries to reinforce their security measures to defend their systems and\r\nstored information from this ongoing campaign.\r\nCampaign development timeline\r\nThese are the key dates for understanding the chronology of Iron Tiger’s operations:\r\nApr. 2, 2022: Registration of the domain name linked to our oldest Windows sample of SysUpdate\r\nMay 11, 2022: The command and control (C\u0026C) infrastructure was set up.\r\nJune 8, 2022: While this could have been tampered with, observed compilation date of our oldest Windows\r\nsample.\r\nJuly 20, 2022: Oldest Windows sample gets uploaded to Virus Total\r\nOct. 24, 2022: Oldest Linux sample gets uploaded to Virus Total\r\nWe observed that the attacker registered the oldest domain name one month before starting the C\u0026C configuration\r\nthen waited one more month before compiling the malicious sample linked to that domain name. We think the gap\r\nbetween the two updates allows the attackers to plan their operations accordingly.\r\nLoading process\r\nWe observed the loading process entailing the following steps:\r\nThe attacker runs rc.exe, a legitimate “Microsoft Resource Compiler” signed file , which is vulnerable to a\r\nDLL side-loading vulnerability, and loads a file named rc.dll.\r\nThe malicious rc.dll loads a file named rc.bin in memory.\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 1 of 10\n\nThe rc.bin file is a Shikata Ga Nai encoded shellcode that decompresses and loads the first stage in\r\nmemory. Depending on the number of command line parameters, different actions are performed:\r\n    Zero or two parameters: “Installs” the malware in the system, and calls Stage 1 again via process\r\nhollowing with four parameters\r\n    One parameter: Same as previous action but without the “installation”\r\n    Four parameters: Creates a memory section with the DES-encrypted malware configuration and a\r\nsecond Shikata Ga Nai shellcode decompressing and loading Stage 2. It then runs Stage 2 via\r\nprocess hollowing.\r\nThe “installation” step is considered simple wherein the malware moves the files to a hardcoded folder.\r\nDepending on the privileges of the process, the malware either creates a registry key or a service that launches the\r\nmoved executable rc.exe with one parameter. This ensures that the malware will be launched during the next\r\nreboot, skipping the installation part.\r\nFigure 1. Updated SysUpdate loading process routine\r\nWe saw different legitimate executables being used, sideloading different DLL names, and multiple binary files\r\nnames being loaded by those DLLs. We identified the executables and sideloaded files as follows:\r\nTable 1. SysUpdate’s seemingly legitimate executables and their respective sideloaded files\r\nLegitimate application\r\nname\r\nCertificate signer Side-loaded DLL name\r\nLoaded binary file\r\nname\r\nINISafeWebSSO.exe Initech inicore_v2.3.30.dll inicore_v2.3.30.bin\r\nrc.exe Microsoft rcdll.dll rcdll.bin\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 2 of 10\n\ndlpumgr32.exe DESlock DLPPREM32.dll sv.bin\r\nGDFInstall.exe\r\nUBISOFT\r\nENTERTAINMENT\r\nGameuxInstallHelper.DLL sysconfig.bin\r\nroute-null.exe Wazuh libwazuhshared.dll wazuhext.bin\r\nroute-null.exe Wazuh libwazuhshared.dll agent-config.bin\r\nwazuh-agent.exe Wazuh libwinpthread-1.dll wazuhext.bin\r\nWe want to highlight that this is the first time we observed a threat actor abusing a sideloading vulnerability in a\r\nWazuh signed executable. Wazuh is a free and open source security platform, and we could confirm that one of the\r\nvictims was using the legitimate Wazuh platform. It is highly likely that Iron Tiger specifically looked for this\r\nvulnerability to appear legitimate in the victim’s environment. We have notified the affected victim of this\r\nintrusion but received no feedback.\r\nMalware features\r\nLooking at the features, several of the functions found in the latest update are similar to the previous SysUpdate\r\nversion:\r\nService manager (lists, starts, stops, and deletes services)\r\nScreenshot grab\r\nProcess manager (browses and terminates processes)\r\nDrive information retrieval\r\nFile manager (finds, deletes, renames, uploads, downloads a file, and browses a directory)\r\nCommand execution\r\nIron Tiger also added a feature that had not been seen before in this malware family: C\u0026C communication\r\nthrough DNS TXT requests. While DNS is not supposed to be a communication protocol, the attacker abuses this\r\nprotocol to send and receive information. \r\nFigure 2. C\u0026C communication with DNS TXT records\r\nFirst, the malware retrieves the configured DNS servers by calling the GetNetworkParams API function and\r\nparsing the DnsServerList linked list. If this method fails, the malware uses the DNS server operated by Google at\r\nIP address 8.8.8.8.\r\nFor the first request, the malware generates a random number of 32 bits and appends 0x2191 to it. This results in\r\nsix bytes — four for the random number, two for 0x2191 — and encodes the result further with Base32 algorithm\r\nusing the alphabet “abcdefghijklmnopqrstuvwxyz012345”. Looking at Figure 2, the contacted domain name is\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 3 of 10\n\nafter \"TXT\"; only the first four letters change as the rest of the encoded series is always the same. This is because\r\nthe random number changes every time, but the end is the same “0x2191” result. This explains why the first DNS\r\nrequest always ends with “reeaaaaaa.\u003cc\u0026c domain\u003e”. If the C\u0026C reply matches the format expected by the\r\nmalware, it launches multiple threads that handle further commands and sends information about the infected\r\nmachine.\r\nInterestingly, the code related to this DNS C\u0026C communication is only present in samples that use it, meaning\r\nthat the builder is modular and that there might be samples in the wild with unreported features. We continue\r\nmonitoring this group and malware family for updates on possible variations of C\u0026C communication protocols\r\nbeing abused.\r\nIn all versions, the malware retrieves information on the infected machine and sends it to the C\u0026C encrypted with\r\nDES. Collected machine information includes the following:\r\nRandomly generated GUID\r\nHostname\r\nDomain name\r\nUsername\r\nUser privileges\r\nProcessor architecture\r\nCurrent process ID\r\nOperating system version\r\nCurrent file path\r\nLocal IP address and port used to send the network packet\r\nThe configuration is encrypted with a hardcoded DES key and is a few bytes long following the structure\r\nenumerated below:\r\nTable 2. Configuration structure\r\nField content\r\nLength (in\r\nbytes)\r\nComment Example\r\nHeader 4 We only found one value 0x00000001\r\nGUID 38 Follows the Microsoft format\r\n{89D0E853-FA08-\r\n4f94-A5FE-A90E6869E074}\r\nSize of the C\u0026C\r\nsection\r\n4   0x00000018\r\nSize of the next\r\nC\u0026C domain\r\nname and port\r\n4   0x00000014\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 4 of 10\n\nC\u0026C type 1\r\n0x01 = regular C\u0026C\r\n0x05 = DNS tunneling\r\n0x00 = regular C\u0026C\r\n0x01\r\nC\u0026C domain\r\nname\r\nVariable   dev.gitlabs.me\r\nPort number 4   0x00000050\r\nSize of next\r\nsection\r\n4\r\nNext section contains all the hardcoded names\r\n(folder, files, registry values)\r\n0x00000034\r\nName of the\r\nhardcoded\r\ndirectory where\r\nfiles are copied\r\nVariable\r\nThe folder is located either in\r\nCSIDL_COMMON_APPDATA or in\r\nCSIDL_PROGRAM_FILES_COMMON\r\ngtdcfp\r\nName of the\r\nexecutable\r\nvulnerable to\r\nside loading\r\nVariable   TextInputHost.exe\r\nName of the\r\nmalicious side-loaded DLLVariable   rc.dll\r\nName of the\r\nbinary file\r\ncontaining the\r\nencoded Stage 1\r\nVariable   rc.bin\r\nName of the\r\nservice or\r\nregistry key\r\nvalue used for\r\npersistence\r\nVariable   gtdcfp\r\nWe noted that Stage 2 does not embed the configuration file, which is copied in memory by the previous stage. We\r\nonly saw one case where there was only one stage being decrypted in memory and the configuration was\r\nhardcoded.\r\nInterestingly, all the samples of this “new” version had a domain name as its C\u0026C. In the previous version of\r\nSysUpdate, the group used hardcoded IP addresses as C\u0026C. It is possible that this change is a consequence of the\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 5 of 10\n\nnew DNS TXT records’ communication feature as it requires a domain name.\r\nSysUpdate samples for Linux\r\nWhile investigating SysUpdate’s infrastructure, we found some ELF files linked to some C\u0026C servers. We\r\nanalyzed them and concluded that the files were a SysUpdate version made for the Linux platform. The ELF\r\nsamples were also written in C++, made use of the Asio library, shared common network encryption keys, and had\r\nmany similar features. For example, the file handling functions are almost the same. It is possible that the\r\ndeveloper made use of the Asio library because of its portability across multiple platforms.\r\nSome parameters can be passed to the binary (note that “Boolean” refers to Boolean data that is sent to the C\u0026C):\r\nTable 3. Parameters passed to the binary as observed from Linux SysUpdate samples\r\nParameter Effect\r\n-launch Sets persistence, zeroes boolean, and exits\r\n-run Zeroes boolean and continues\r\n-x Daemonize the process, zeroes boolean, and continues\r\n-i Daemonize the process, zeroes boolean, sets persistence, and continues\r\n-f \u003cguid\u003e Sets the GUID to \u003cguid\u003e and continues\r\nThe persistence is ensured by copying a script similarly named as the current filename to the\r\n/usr/lib/systemd/system/ directory, and creating a symlink to this file in the /etc/ystem/system/multi-user.target.wants/ directory. Thus, this method only works if the current process has root privileges. The content of\r\nthe script is:\r\n[Unit]\r\nDescription=xxx\r\n[Service]\r\nType=forking\r\nExecStart=\u003cpath to current file\u003e -x\r\nExecStop=/usr/bin/id\r\n[Install]\r\nWantedBy=multi-user.target\r\nAfter running the code dependent on the parameters, if the operator has not chosen a GUID with the “-f”\r\nparameter, the malware generates a random GUID and writes it to a file similarly named as the current file, with a\r\n“d” appended to it. Then, the malware retrieves information on the compromised computer and sends it to the\r\nC\u0026C.\r\nThe following information is sent to the C\u0026C, encrypted with a hardcoded key and DES CBC algorithm:\r\nGUID\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 6 of 10\n\nHost name\r\nUsername\r\nLocal IP address and port used to send the request\r\nCurrent PID\r\nKernel version and machine architecture\r\nCurrent file path\r\nBoolean (0 if it was launched with exactly one parameter, 1 otherwise)\r\nFor the DNS C\u0026C communication version, the malware retrieves the configured DNS server by reading the\r\ncontent of the /etc/resolv.conf file, or uses the DNS server operated by Google at IP address 8.8.8.8.\r\nIn 2022, we already noticed that this threat actor was interested in platforms other than Windows, with the rshell\r\nmalware family running on Linux and Mac OS. For these reasons, we would not be surprised to see SysUpdate\r\nsamples for the Mac OS platform in the future. Interestingly, most of the Linux samples we found used the new\r\nDNS tunneling feature we detailed in Figure 2, while only one of the Windows’ samples used it.\r\nCertificate compromise\r\nAnother interesting part of this campaign is the fact that some of the malicious files are signed with a certificate\r\nwith the following signer: “Permyakov Ivan Yurievich IP”. Looking for that name in search engines brings results\r\nfrom the official VMProtect website. The email address linked to the Authenticode certificate also links to that\r\ndomain name. VMProtect is a commercial software intended to make analysis of code extremely difficult by\r\nimplementing a custom virtual machine with non-standard architecture. The software has been usednews article\r\nby multiple APT and cybercrime groups in the past to obfuscate their malware.\r\nWhen searching on malware repositories for other files signed by the same certificate, we find multiple files\r\nnamed “VMProtectDemo.exe”, “VMProtect.exe”, or “VMProtect_Con.exe”, which suggests that an official demo\r\nversion of VMProtect is also signed by this certificate. It appears that the threat actor managed to retrieve the\r\nprivate key allowing him to sign malicious code. As of this writing, the certificate is now revoked.\r\nUsing stolen certificates to sign malicious code is a common practice for this threat actor, as we already\r\nhighlighted in 2015 and in all our recent investigations. Interestingly, the threat actor not only signed some of its\r\nmalicious executables with the stolen certificate, but also used VMProtect to obfuscate one of them.\r\nIn late January 2023, a Redline stealer sample (detected by Trend Micro as\r\nTrojanSpy.Win32.REDLINE.YXDA1Z, SHA256:\r\ne24b29a1df287fe947018c33590a0b443d6967944b281b70fba7ea6556d00109) signed by the same certificate was\r\nuploaded. We do not believe that the stealer is linked to Iron Tiger, considering that the network infrastructure is\r\ndifferent, and previous reports document the malware’s goals to be centered on committing cybercrime than data\r\ntheft. This could mean other users managed to extract the same private key from the VMProtect demo version, or\r\nit was sold in the underground to different groups, Iron Tiger among them.\r\nInfection vector\r\nWe did not find an infection vector. However, we noticed that one of the executables packed with VMProtect and\r\nsigned with the stolen certificate was named “youdu_client_211.9.194.exe”. Youdu is the name of a Chinese\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 7 of 10\n\ninstant messaging application aimed for use of enterprise customers. Its website mentions multiple customers in\r\nmany industries, some of them in critical sectors such as government, energy, healthcare, or banking. But they also\r\nhave other customers in industries such as gaming, IT, media, construction, and retail, apparently all located inside\r\nChina.\r\nThe properties of the malicious file also match the usual Youdu version numbering. However, the legitimate files\r\nare signed with a “Xinda.im” certificate instead of the stolen VMProtect certificate.\r\nFigure 3. Comparing the properties of the malicious file (left), and properties of the legitimate\r\nYoudu installer (right)\r\nAs seen in the product name identified in the malicious file’s properties, we searched for possible products named\r\n“i Talk” but did not find any that could be related to this investigation. However, we found traces of files from the\r\nlegitimate Youdu chat application signed by Xinda.im being copied to folders named “i Talk” on one victim’s\r\ncomputer. This suggests that some chat application named “i Talk” might be repackaging components from the\r\nofficial Youdu client along with malicious executables. It appears that a chat application was used as a lure to\r\nentice the victim into opening the malicious file. This would be consistent with the tactics, techniques, and\r\nprocedures (TTPs) of two previous Iron Tiger campaigns from 2020 and 2021: a documented compromise of a\r\nchat application widely used by the Mongolian government, and a supply chain attack on Mimi chat, a chat\r\napplication used in parts of South East Asia.\r\nPost-exploitation tools\r\nWe found a custom Chrome password and cookie grabber that appeared unfamiliar, and it was compiled and\r\nuploaded in September 2022. The file was also signed with the VMProtect certificate but it was not obfuscated. In\r\ngeneral, the features were simple; the malware decrypts the saved passwords to a file named “passwords.txt”, and\r\nthe cookies to a file named “cookies.txt”.\r\nAnalyzing its details, the malware first parses the “Local State” file to retrieve the AES key used to encrypt the\r\ncookies and passwords. It then copies the “Login Data” file to a temporary file “chromedb_tmp”, issues an SQL\r\nquery to extract the URL, login, and password fields from the file, and then decrypts them and appends the result\r\nto the “passwords.txt” file.\r\nIt proceeds to copy the “Cookies” file to a temporary file “chromedb_tmp”, extracts multiple fields from it using\r\nan SQL query, and then decrypts the content before copying the result to the “cookies.txt” file. Some specific\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 8 of 10\n\ncookies related to Google domain names are ignored, probably because they are mostly related to specific Google\r\nfeatures or tracking that are considered useless by the threat actor.\r\nWe found two other samples from this stealer: One compilation date indicated an executable built in November\r\n2020, and the other one in December 2021, although those dates could be tampered with. We found those samples\r\nwere uploaded on November 2021 and August 2022, meaning this stealer existed since at least late 2021.\r\nTargeting\r\nWe identified one gambling company in the Philippines as compromised by this campaign. Interestingly, the threat\r\nactor registered a domain name similar to the company name and used it as a C\u0026C. This was not surprising as we\r\nhave noticed this threat actor targeting this industry since 2019 during our Operation DRBControl investigation,\r\nand later in 2021 with an update of SysUpdate. We also attempted to notify the company of this incident through\r\nall their listed channels but have received no feedback.\r\nAs stated in the “Infection Vector” section, we noticed the Youdu chat application was probably used as a lure. It\r\nis worth mentioning that the customers mentioned in the Youdu official website are all located inside China, which\r\ncould be an indicator of the threat actor’s interest in targets related to this country.\r\nConclusion\r\nThis investigation confirms that Iron Tiger regularly updates its tools to add new features and probably to ease\r\ntheir portability to other platforms, verifying the interest we found from this threat actor for Linux or Mac OS. It\r\nalso corroborates this threat actor’s interest in the gambling industry and the South East Asia region, as we\r\npreviously noted in 2020 and 2021.\r\nThis campaign also substantiates the regular usage of chat applications as infection vectors from Iron Tiger. We\r\nexpect to find further updates of these tools in the future to accommodate other platforms and apps.\r\nAs an additional warning, we want to highlight that the targeting can be wider than the samples and targeting we\r\nhave already observed. In 2022, we discussed a campaign targeting Taiwan and the Philippines that made use of\r\nHyperBro samples (detected by Trend Micro as Backdoor.Win32.HYPERBRO.ENC) signed with a stolen Cheetah\r\ncertificate. The BfV, a German governmental entity, published a report in January 2022 mentioning attacks against\r\nGerman companies with HyperBro samples that were also signed with the same certificate. In October 2022,\r\nIntrinsec reported an incident in a French company also using HyperBro samples matching the structure we\r\ndescribed in our 2021 investigation. This shows the threat actor is likely to reuse the tools mentioned here in\r\nfuture campaigns that might target different regions or industries in the short and long term. Considering the active\r\ncampaign and regular developments made on this malware family, organizations are advised to enhance and\r\nbroaden their current and established security measures, and heighten overall vigilance for possible infection\r\nvectors that can be abused by this threat group.\r\nIndicators of Compromise (IOCs)\r\nDownload the full list of indicators here.\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 9 of 10\n\nSource: https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" ], "report_names": [ "iron-tiger-sysupdate-adds-linux-targeting.html" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434652, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8cea119b0444f3278dd356de8fe50ef3df1a7a65.pdf", "text": "https://archive.orkl.eu/8cea119b0444f3278dd356de8fe50ef3df1a7a65.txt", "img": "https://archive.orkl.eu/8cea119b0444f3278dd356de8fe50ef3df1a7a65.jpg" } }