{ "id": "7ff620e9-1863-42b4-86aa-eddcf7337b9b", "created_at": "2026-04-06T00:10:42.904067Z", "updated_at": "2026-04-10T03:37:54.454228Z", "deleted_at": null, "sha1_hash": "8d03027e768f3b6cb37e045ba8be18af327f1def", "title": "APT 41 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 149157, "plain_text": "APT 41 - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:23:39 UTC\r\n APT group: APT 41\r\nNames\r\nAPT 41 (FireEye)\r\nDouble Dragon (FireEye)\r\nTG-2633 (SecureWorks)\r\nBronze Atlas (SecureWorks)\r\nRed Kelpie (PWC)\r\nBlackfly (Symantec)\r\nEarth Baku (Trend Micro)\r\nSparklingGoblin (ESET)\r\nGrayfly (Symantec)\r\nTA415 (Proofpoint)\r\nBrazenBamboo (Volexity)\r\nG0096 (MITRE)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Financial crime, Information theft and espionage\r\nFirst seen 2012\r\nDescription (FireEye) FireEye Threat Intelligence assesses with high confidence that APT41 is a\r\nprolific cyber threat group that carries out Chinese state-sponsored espionage\r\nactivity in addition to financially motivated activity potentially outside of state\r\ncontrol. Activity traces back to 2012 when individual members of APT41 conducted\r\nprimarily financially motivated operations focused on the video game industry\r\nbefore expanding into likely state-sponsored activity. This is remarkable because\r\nexplicit financially motivated targeting is unusual among Chinese state-sponsored\r\nthreat groups, and evidence suggests these two motivations were balanced\r\nconcurrently from 2014 onward.\r\n• APT41 overlaps at least partically with public reporting on group including Barium\r\nand Winnti Group, Wicked Panda. In some cases the primary observed similarity in\r\nthe publicly reported Winnti activity was the use of the same malware – including\r\nHIGHNOON – across otherwise separate clusters of activity.\r\n• Previous FireEye Threat Intelligence reporting on the use of HIGHNOON and\r\nrelated activity was grouped together under both Ke3chang, Vixen Panda, APT 15,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e\r\nPage 1 of 8\n\nGREF, Playful Dragon and Mana, although we now understand this to be the work\nof several Chinese cyber espionage groups that share tools and digital certificates.\n• APT41 reflects our current understanding of what was previously reported as\nGREF, as well as additional indicators and activity gathered during our extensive\nreview of our intelligence holdings.\nAPT 41 has 2 subgroups:\n1. Subgroup: Earth Longzhi\n2. Subgroup: Earth Freybug\nAlso see Earth Lusca and RedGolf.\nObserved\nSectors: Construction, Defense, Education, Energy, Financial, Government,\nHealthcare, High-Tech, Hospitality, Manufacturing, Media, Oil and gas,\nPetrochemical, Pharmaceutical, Retail, Shipping and Logistics, Telecommunications,\nTransportation, Online video game companies.\nCountries: Australia, Bahrain, Brazil, Canada, Chile, Denmark, Finland, France,\nGeorgia, Hong Kong, India, Indonesia, Italy, Japan, Malaysia, Mexico, Myanmar,\nNetherlands, Pakistan, Philippines, Poland, Qatar, Saudi Arabia, Singapore, South\nKorea, South Africa, Spain, Sri Lanka, Sweden, Switzerland, Taiwan, Thailand,\nTurkey, UAE, UK, USA, Vietnam.\nTools used\n9002 RAT, AceHash, ADORE.XSEC, AntSword, ASPXSpy, Barlaiy, BEACON,\nBlackCoffee, BLUEBEAM, certutil, China Chopper, Cobalt Strike, COLDJAVA,\nCrackshot, CrossWalk, DBoxAgent, DEADEYE, DEPLOYLOG, Derusbi,\nDIRTCLEANER, DragonEgg, DUSTPAN, DUSTTRAP, EasyNight, FunnySwitch,\nGearShift, Gh0st RAT, HDRoot, HighNoon, HighNote, HKDOOR, HUI Loader,\nJumpall, KEYPLUG, LATELUNCH, LIFEBOAT, Lowkey, MessageTap,\nMeterpreter, Mimikatz, MoonBounce, MoonWalk, njRAT, NTDSDump, PACMAN,\nPINEGROVE, PipeMon, PlugX, POTROAST, PRIVATELOG, pwdump, RedXOR,\nROCKBOOT, SAGEHIRE, SerialVlogger, ShadowHammer, ShadowPad Winnti,\nSideWalk, Skip-2.0, SPARKLOG, Speculoos, Spyder, SQLULDR2, STASHLOG,\nSWEETCANDLE, TERA, TIDYELF, Voldemort, WIDETONE, WINNKIT, Winnti,\nWINTERLOVE, WyrmSpy, xDll, XDOOR, XMRig, ZXShell, Living off the Land.\nOperations performed\nAutumn 2016\nBreach of TeamViewer\nJul 2017 ShadowPad is one of the largest known supply-chain attacks. Had\nit not been detected and patched so quickly, it could potentially\nhave targeted hundreds of organizations worldwide.\n\nreleases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world\u003e\nJun 2018\nOperation “ShadowHammer”\nA supply-chain attack dubbed “Operation ShadowHammer” has\nbeen uncovered, targeting users of the ASUS Live Update Utility\nwith a backdoor injection. The China-backed BARIUM APT is\nsuspected to be at the helm of the project.\nAccording to Kaspersky Lab, the campaign ran from June to at\nleast November 2018 and may have impacted more than a million\nusers worldwide – though the adversaries appear to have been after\nspecific victims in Asia.\n2019\nOperation “CuckooBees”\nCybereason Uncovers Massive Chinese Intellectual Property Theft\nOperation\nMar 2019\nAlthough the malware uses different configurations in each case,\nthe three affected software products included the same backdoor\ncode and were launched using the same mechanism. While two of\nthe compromised products no longer include the backdoor, one of\nthe affected developers is still distributing the trojanized version:\nironically, the game is named Infestation, and is produced by Thai\ndeveloper Electronics Extreme.\nApr 2019\nIn April 2019, FireEye’s Managed Defense team identified\nsuspicious activity on a publicly-accessible web server at a U.S.-\nbased research university. This activity, indicated that the attackers\nwere exploiting CVE-2019-3396, a vulnerability in Atlassian\nConfluence Server that allowed for path traversal and remote code\nexecution.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e\nPage 3 of 8\n\nAug 2019\nAPT41’s newest espionage tool, MESSAGETAP, was discovered\nduring a 2019 investigation at a telecommunications network\nprovider within a cluster of Linux servers. Specifically, these\nLinux servers operated as Short Message Service Center (SMSC)\nservers.\nOct 2019\nWinnti Group’s skip‑2.0: A Microsoft SQL Server backdoor\nNov 2019\nIn November 2019, we discovered a new campaign run by the\nWinnti Group against two Hong Kong universities. We found a\nnew variant of the ShadowPad backdoor, the group’s flagship\nbackdoor, deployed using a new launcher and embedding\nnumerous modules. The Winnti malware was also found at these\nuniversities a few weeks prior to ShadowPad.\nJan 2020\nBetween January 20 and March 11, FireEye observed APT41\nattempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco\nrouters, and Zoho ManageEngine Desktop Central at over 75\nFireEye customers.\nFeb 2020\nIn February 2020, we discovered a new, modular backdoor, which\nwe named PipeMon. Persisting as a Print Processor, it was used by\nthe Winnti Group against several video gaming companies that are\nbased in South Korea and Taiwan and develop MMO (Massively\nMultiplayer Online) games. Video games developed by these\ncompanies are available on popular gaming platforms and have\nthousands of simultaneous players.\n2020 New Linux Backdoor RedXOR Likely Operated by Chinese\nNation-State Actor\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e\nPage 4 of 8\n\nMar 2020\nDuring threat research in March 2020, PT Expert Security Center\nspecialists found a previously unknown backdoor and named it\nxDll, based on the original name found in the code. As a result of a\nconfiguration flaw of the malware's command and control (C2)\nserver, some server directories were externally accessible.\nApr 2020\nHackers linked to Chinese government stole millions in Covid\nbenefits, Secret Service says\nJul 2020\nAPT41 Resurfaces as Earth Baku With New Cyberespionage\nCampaign\nOct 2020\nLookout Attributes Advanced Android Surveillanceware to\nChinese Espionage Group APT41\n2021\nAPT41 World Tour 2021 on a tight schedule\nFeb 2021\nYou never walk alone: The SideWalk backdoor gets a Linux\nvariant\nEarly 2021\nNew Wave of Espionage Activity Targets Asian Governments\nMar 2021\nOperation “ColunmTK”\nBig airline heist\nSpring 2021\nMoonBounce: the dark side of UEFI firmware\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e\nPage 5 of 8\n\nMay 2021\nDoes This Look Infected? A Summary of APT41 Targeting U.S.\nState Governments\nJul 2021\nBIOPASS RAT: New Malware Sniffs Victims via Live Streaming\nAug 2021\nThe SideWalk may be as dangerous as the CROSSWALK\nAug 2022\nWinnti APT group docks in Sri Lanka for new campaign\nLate 2022\nBlackfly: Espionage Group Targets Materials Technology\nLate 2022\nA Dive into Earth Baku’s Latest Campaign\n2023\nAPT41 Has Arisen From the DUST\nJul 2023\nAPT41 likely compromised Taiwanese government-affiliated\nresearch institute with ShadowPad and Cobalt Strike\n2024\nChinese APT Uses VPN Bug to Exploit Worldwide OT Orgs\nMar 2024\nWinnti APT41 Targets Japanese Firms in RevivalStone Cyber\nEspionage Campaign\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e\nPage 6 of 8\n\nApr 2024\nDodgeBox: A deep dive into the updated arsenal of APT41 | Part 1\nMoonWalk: A deep dive into the updated arsenal of APT41 | Part 2\nApr 2024\nLightSpy: APT41 Deploys Advanced DeepData Framework In\nTargeted Southern Asia Espionage Campaign\nJul 2024\nBrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN\nCredentials via DEEPDATA\nAug 2024\nThe Malware That Must Not Be Named: Suspected Espionage\nCampaign Delivers “Voldemort”\nOct 2024\nMark Your Calendar: APT41 Innovative Tactics\nJul 2025\nThe SOC files: Rumble in the jungle or APT41’s new target in\nAfrica\nCounter operations Aug 2020\nSeven International Cyber Defendants, Including “Apt41” Actors,\nCharged In Connection With Computer Intrusion Campaigns\nAgainst More Than 100 Victims Globally\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e\nPage 7 of 8\n\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e" ], "report_names": [ "showcard.cgi?u=2fe6ac14-796b-4d63-b136-2c20b88bdd9e" ], "threat_actors": [ { "id": "7936e2f8-5179-414a-8b57-530c28062f26", "created_at": "2023-04-27T02:04:45.231554Z", "updated_at": "2026-04-10T02:00:04.87247Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "ETDA:RedGolf", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "ELFSHELF", "KEYPLUG", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5b317799-01c0-48fa-aee2-31a738116771", "created_at": "2022-11-20T02:02:37.746719Z", "updated_at": "2026-04-10T02:00:04.561617Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "Earth Longzhi" ], "source_name": "ETDA:Earth Longzhi", "tools": [ "Agentemis", "BigpipeLoader", "Cobalt Strike", "CobaltStrike", "CroxLoader", "MultiPipeLoader", "OutLoader", "Symatic Loader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "1c97ccfd-1888-492c-b7b9-bb52c4c3809b", "created_at": "2023-01-06T13:46:38.940529Z", "updated_at": "2026-04-10T02:00:03.152806Z", "deleted_at": null, "main_name": "Operation ShadowHammer", "aliases": [], "source_name": "MISPGALAXY:Operation ShadowHammer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f799b96d-bc59-4b35-ae5c-dfe87e5b735b", "created_at": "2023-04-26T02:02:01.286476Z", "updated_at": "2026-04-10T02:00:03.363506Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "MISPGALAXY:RedGolf", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8b57a00-18f4-4e49-9954-849de5e97506", "created_at": "2023-11-05T02:00:08.065073Z", "updated_at": "2026-04-10T02:00:03.395154Z", "deleted_at": null, "main_name": "SparklingGoblin", "aliases": [], "source_name": "MISPGALAXY:SparklingGoblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "315bd857-79cc-46f2-896f-aeb0fc576b49", "created_at": "2024-04-28T02:00:03.693599Z", "updated_at": "2026-04-10T02:00:03.62936Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [], "source_name": "MISPGALAXY:Earth Freybug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "10e4e1de-afe4-4a62-b46d-07800c801a17", "created_at": "2024-04-24T02:02:07.562188Z", "updated_at": "2026-04-10T02:00:04.560334Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [ "Earth Freybug" ], "source_name": "ETDA:Earth Freybug", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "UNAPIMON" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "d196cb29-a861-4838-b157-a31ac92c6fb1", "created_at": "2023-11-04T02:00:07.66699Z", "updated_at": "2026-04-10T02:00:03.386945Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "SnakeCharmer" ], "source_name": "MISPGALAXY:Earth Longzhi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "24d5f393-f5c7-41a3-8d8f-2f9129a2925e", "created_at": "2024-11-20T02:00:03.66537Z", "updated_at": "2026-04-10T02:00:03.776928Z", "deleted_at": null, "main_name": "BrazenBamboo", "aliases": [], "source_name": "MISPGALAXY:BrazenBamboo", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434242, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d03027e768f3b6cb37e045ba8be18af327f1def.pdf", "text": "https://archive.orkl.eu/8d03027e768f3b6cb37e045ba8be18af327f1def.txt", "img": "https://archive.orkl.eu/8d03027e768f3b6cb37e045ba8be18af327f1def.jpg" } }