{ "id": "683e50e8-34f4-4eda-84e0-0e402c2c78da", "created_at": "2026-04-06T00:21:22.396153Z", "updated_at": "2026-04-10T03:36:33.552913Z", "deleted_at": null, "sha1_hash": "8d8e413624e7fa3028c5b4e54728e64ecc656438", "title": "Project TajMahal – a sophisticated new APT framework", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 364573, "plain_text": "Project TajMahal – a sophisticated new APT framework\r\nBy AMR\r\nPublished: 2019-04-10 · Archived: 2026-04-05 14:43:49 UTC\r\n10 Apr 2019\r\n 5 minute read\r\nhttps://securelist.com/project-tajmahal/90240/\r\nPage 1 of 9\n\nExecutive summary\r\n‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab\r\nin the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and\r\n‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen\r\nand webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s\r\nmachine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest\r\nnumbers of plugins we’ve ever seen for an APT toolset.\r\nJust to highlight its capabilities, TajMahal is able to steal data from a CD burnt by a victim as well as from the\r\nprinter queue. It can also request to steal a particular file from a previously seen USB stick; next time the USB is\r\nconnected to the computer, the file will be stolen.\r\nTajMahal has been developed and used for at least the past five years. The first known ‘legit’ sample timestamp is\r\nfrom August 2013, and the last one is from April 2018. The first confirmed date when TajMahal samples were\r\nseen on a victim’s machine is August 2014.\r\nMore details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact\r\nintelreports@kaspersky.com).\r\nTechnical details\r\nWe have discovered two different types of TajMahal packages, self-named Tokyo and Yokohama. The targeted\r\nsystems found by Kaspersky Lab were infected with both packages. This suggests that Tokyo was used as first\r\nstage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for\r\nbackup purposes. The packages share the same code base, we identified the following interesting features:\r\nCapable of stealing documents sent to the printer queue.\r\nData gathered for victim recon includes the backup list for Apple mobile devices.\r\nTakes screenshots when recording VoiceIP app audio.\r\nSteals written CD images.\r\nhttps://securelist.com/project-tajmahal/90240/\r\nPage 2 of 9\n\nCapable of stealing files previously seen on removable drives once they are available again.\r\nSteals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.\r\nIf deleted from Frontend file or related registry values, it will reappear after reboot with a new name and\r\nstartup type.\r\nVictims\r\nSo far we have detected a single victim based on our telemetry – a diplomatic entity from a country in Central\r\nAsia.\r\nConclusion\r\nThe TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical\r\nsophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is\r\nsomething we have never before seen in any other APT activity. For example, it has its own indexer, emergency\r\nC2s, is capable of stealing specific files from external drives when they become available again, etc.\r\nThe question is, why go to all that trouble for just one victim? A likely hypothesis is that there are other victims\r\nwe haven’t found yet. This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS\r\nwas used by the malware, opening the door to the possibility of additional versions of the malware that have yet to\r\nbe detected.\r\nKaspersky Lab products detect the TajMahal APT samples as HEUR:Trojan.Multi.Chaperone.gen\r\nAppendix I – Indicators of compromise\r\nA full set of IOCs and Yara rules is available to customers of Kaspersky Intelligence Reporting service – contact\r\nintelreports@kaspersky.com\r\nDomains and IPs\r\n104.200.30.125\r\n50.56.240.153\r\nrahasn.webhop.org\r\nrahasn.akamake.net\r\nrahasn.homewealth.biz\r\nFile Hashes\r\n22d142f11cf2a30ea4953e1fffb0fa7e\r\n2317d65da4639f4246de200650a70753\r\n27612cb03c89158225ca201721ea1aad\r\n412956675fbc3f8c51f438c1abc100eb\r\n490a140093b5870a47edc29f33542fd2\r\n51a7068640af42c3a7c1b94f1c11ab9d\r\n533340c54bd25256873b3dca34d7f74e\r\n684eca6b62d69ce899a3ec3bb04d0a5b\r\nhttps://securelist.com/project-tajmahal/90240/\r\nPage 3 of 9\n\n69a19abf5ba56ee07cdd3425b07cf8bf\r\n6cfd131fef548fcd60fbcdb59317df8e\r\n72dc98449b45a7f1ccdef27d51e31e91\r\n7c733607a0932b1b9a9e27cd6ab55fe0\r\n7d5265e814843b24fcb3787768129040\r\n80c37e062aa4c94697f287352acf2e9d\r\n815f1f8a7bc1e6f94cb5c416e381a110\r\na43d3b31575846fa4c3992b4143a06da\r\n08e82dc7bae524884b7dc2134942aadb\r\n7bcd736a2394fc49f3e27b3987cce640\r\n57314359df11ffdf476f809671ec0275\r\nb72737b464e50aa3664321e8e001ff32\r\nce8ce92fb6565181572dce00d69c24f8\r\n5985087678414143d33ffc6e8863b887\r\n84730a6e426fbd3cf6b821c59674c8a0\r\nd5377dc1821c935302c065ad8432c0d2\r\nd8f1356bebda9e77f480a6a60eab36bb\r\n92f8e3f0f1f7cc49fad797a62a169acd\r\n9003cfaac523e94d5479dc6a10575e60\r\ndf91b86189adb0a11c47ce2405878fa1\r\ne17bd40f5b5005f4a0c61f9e79a9d8c2\r\nc1e7850da5604e081b9647b58248d7e8\r\n99828721ac1a0e32e4582c3f615d6e57\r\nf559c87b4a14a4be1bd84df6553aaf56\r\nb9c208ea8115232bfd9ec2c62f32d6b8\r\n061089d8cb0ca58e660ce2e433a689b3\r\n0e9afd3a870906ebf34a0b66d8b07435\r\n9c115e9a81d25f9d88e7aaa4313d9a8f\r\n520ee02668a1c7b7c262708e12b1ba6b\r\n7bfba2c69bed6b160261bdbf2b826401\r\n77a745b07d9c453650dd7f683b02b3ed\r\n3a771efb7ba2cd0df247ab570e1408b2\r\n0969b2b399a8d4cd2d751824d0d842b4\r\nfc53f2cd780cd3a01a4299b8445f8511\r\n4e39620afca6f60bb30e031ddc5a4330\r\nbfe3f6a79cad5b9c642bb56f8037c43b\r\n3dfebce4703f30eed713d795b90538b5\r\n9793afcea43110610757bd3b800de517\r\n36db24006e2b492cafb75f2663f241b2\r\n21feb6aa15e02bb0cddbd544605aabad\r\n21feb6aa15e02bb0cddbd544605aabad\r\n649ef1dd4a5411d3afcf108d57ff87af\r\nhttps://securelist.com/project-tajmahal/90240/\r\nPage 4 of 9\n\n320b2f1d9551b5d1df4fb19bd9ab253a\r\n3d75c72144d873b3c1c4977fbafe9184\r\nb9cf4301b7b186a75e82a04e87b30fe4\r\nb4e67706103c3b8ee148394ebee3f268\r\n7bfbd72441e1f2ed48fbc0f33be00f24\r\ncdb303f61a47720c7a8c5086e6b2a743\r\n2a6f7ec77ab6bd4297e7b15ae06e2e61\r\n8403a28e0bffa9cc085e7b662d0d5412\r\n3ffd2915d285ad748202469d4a04e1f5\r\n04078ef95a70a04e95bda06cc7bec3fa\r\n235d427f94630575a4ea4bff180ecf5d\r\n8035a8a143765551ca7db4bc5efb5dfd\r\ncacaa3bf3b2801956318251db5e90f3c\r\n1aadf739782afcae6d1c3e4d1f315cbd\r\nc3e255888211d74cc6e3fb66b69bbffb\r\nd9e9f22988d43d73d79db6ee178d70a4\r\n16ab79fb2fd92db0b1f38bedb2f02ed8\r\n8da15a97eaf69ff7ee184fc446f19cf1\r\nffc7305cb24c1955f9625e525d58aeee\r\nc0e72eb4c9f897410c795c1b360090ef\r\n9ad6fa6fdedb2df8055b3d30bd6f64f1\r\n44619a88a6cff63523163c6a4cf375dd\r\na571660c9cf1696a2f4689b2007a12c7\r\n81229c1e272218eeda14892fa8425883\r\n0ac48cfa2ff8351365e99c1d26e082ad\r\nAppendix II – Additional technical details\r\nThe following table provides the full list of files stored in the VFS with a short description describing what the\r\nplugins do:\r\nnn Name Short description\r\n00\r\n01\r\ncs64.dll\r\ncs32.dll\r\nC2 communication and command processing. WatchPoints document stealer.\r\n02\r\n03\r\nli64.dll\r\nli32.dll\r\nLocalInfo. Collects a large amount of information, titled “TAJ MAHAL”\r\n04\r\n06\r\nad64.dll\r\nad32.dll\r\nAudioRecorder. Microphone, Voice IP applications.\r\n07\r\n08\r\nle64.dll\r\nle32.dll\r\nOpen source-based LAME mp3 encoder (“Mar 27 2014”) used by\r\nAudioRecorder plugins (adXX.dll).\r\nhttps://securelist.com/project-tajmahal/90240/\r\nPage 5 of 9\n\n09 dd.m MP3 file is sent by AudioRecorder (adXX.dll) when cache is cleared.\r\n10\r\n11\r\nme64.dll\r\nme32.dll\r\nAudioRecorder for Windows Metro applications.\r\nInjects ma32.dll into “wwahost.exe” or “audacity.exe”.\r\n12 ma32.dll\r\nAudioRecorder for Windows COM.\r\nHooks IAudioClient, IAudioRenderClient, IMMDevice.\r\n13\r\n14\r\nams_api64.dll\r\nams_api32.dll\r\nHandy wrapper around API of exXX.dll, pdXX.dll, sgXX.dll.\r\n15\r\n16\r\nex64.dll\r\nex32.dll\r\nOrchestrator. Update/install/uninstall, selects target processes and loads\r\nplugins.\r\n17\r\n18\r\nfe64.dll\r\nfe32.dll\r\nTemplate of “Yokohama” Frontend module; is used for reinstalling.\r\n19\r\n20\r\npd64.dll\r\npd32.dll\r\nProvides API to access configuration settings, working files, egress queue.\r\n21\r\n22\r\nlibpng64.dll\r\nlibpng32.dll\r\nOpen source “libpng” library version 1.5.8 (February 1, 2012). Used by\r\nScreenshoter plugin (ssXX.dll).\r\n23\r\n24\r\nrs64.dll\r\nrs32.dll\r\nReinstaller/Injector.\r\n25\r\n26\r\nix32.dll\r\nix64.dll\r\nLoadLibrary call template dll is used by Reinstaller/Injector plugin (rsXX.dll)\r\nfor injecting LoadLibrary call into running processes.\r\n05\r\n27\r\n28\r\nobj32.bin\r\nobj32.bin\r\nobj64.bin\r\nShellcode template is used by Reinstaller/Injector (rsXX.dll) and\r\nAudioRecorder4MetroApp (meXX.dll) for injecting into running processes.\r\nBoth versions of “obj32.bin” are the same; it seems to be stored twice by\r\nmistake.\r\n29\r\n30\r\nsc64.dll\r\nsc32.dll\r\nUtility library. Provides API for cryptography, file, registry, memory\r\nmanagement operations and so on.\r\n31\r\n32\r\nsg64.dll\r\nsg32.dll\r\nLibrary for managing egress queue (files and messages prepared to send to\r\nCC).\r\n33\r\n34\r\nst64.dll\r\nst32.dll\r\nSuicideWatcher. Watches uninstall time, checks time diff (local time vs internet\r\ntime).\r\n35\r\n36\r\nzip64.dll\r\nzip32.dll\r\nOpen source “XZip/XUnzip” library by Info-Zip + Lucian Wischik + Hans\r\nDietrich. Is used by Indexer (inXX.dll) and C2 communication (csXX.dll)\r\nplugins.\r\nhttps://securelist.com/project-tajmahal/90240/\r\nPage 6 of 9\n\n37\r\n38\r\nzlib64.dll\r\nzlib32.dll\r\nOpen source “zlib” version 1.2.3 used by libpngXX.dll for compressing\r\nscreenshots (ssXX.dll).\r\n39 il32.dll\r\nIM-Stealer. Steals conversation content from chat windows of instant\r\nmessaging applications.\r\n40\r\n55\r\nin32.dll\r\nin64.dll\r\nIndexer. Indexes files on victim drives, user profiles, removable drives.\r\nBuilt index files are zipped (by zipXX.dll) and put in send queue.\r\n41\r\n42\r\n43\r\n44\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n56\r\nisys9core_64.dll\r\nisyspdf6_64.dll\r\nisyspdfl_64.dll\r\nisysdc_64.dll\r\nisys9.key\r\nisys.cwd\r\nisys.elx\r\nisys9_32.dll\r\nisys9core_32.dll\r\nisyspdf6_32.dll\r\nisyspdfl_32.dll\r\nisysdc_32.dll\r\nisys9_64.dll\r\nProprietary “ISYS Search Software” components are used by Indexer plugin.\r\nLicensee_ID1 “Q5GXU H5W67 23B4W SCQFD 4G7HV 9GSLW”\r\nLicensee_ID2 “objectviewer.exe”\r\n45\r\n54\r\nsqlite3_64.dll\r\nsqlite3_32.dll\r\nOpen source “sqlite” library. Used by “ISYS Search”.\r\n57\r\n58\r\ntn32.dll\r\ntn64.dll\r\nThumbnailer. Makes and prepares to send thumbnails of found picture files.\r\n59\r\n60\r\n61\r\n62\r\nfreeimage_32.dll\r\nfreeimageplus_32.dll\r\nfreeimage_64.dll\r\nfreeimageplus_64.dll\r\nFreeImage open source library supports popular graphics image formats (ver\r\n3.15.4 2012-10-27) (http://freeimage.sourceforge.net). Is used by Thumbnailer\r\n(tnXX.dll) plugin.\r\n63\r\n64\r\nku64.dll\r\nku32.dll\r\nKeylogger \u0026 clipboard monitor.\r\n65\r\n66\r\npm64.dll\r\npm32.dll\r\nSteals printed documents from spooler queue.\r\nThis is done by enabling the “KeepPrintedJobs” attribute for each configured\r\nprinter stored in Windows Registry:\r\nkey: “SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers”\r\nvalue: “Attributes”\r\n67\r\n68\r\nrc64.dll\r\nrc32.dll\r\nEgressSender. Sends files from output queue to C2.\r\nhttps://securelist.com/project-tajmahal/90240/\r\nPage 7 of 9\n\n69\r\n70\r\nrn64.dll\r\nrn32.dll\r\nDaily “ClientRecon” (ComputerName, OS information, MacAddress,\r\nWirelessNetwork keys, connected Apple devices, Apple mobile devices\r\nbackups list, IE version, SecurityCenterInfo (AV, Firewalls and AntiSpyware\r\nproducts), Hardware info, Installed soft including Metro Apps, Users,\r\nAutoruns).\r\nCheck and send to C2 if something changed.\r\n71\r\n72\r\nss64.dll\r\nss32.dll\r\nScreenshoter. Periodic low resolution screenshots. High resolution screenshots\r\nof specified process windows and when recording VoiceIP application audio.\r\nSee “ss_pr” \u0026 “ss_wt_nm” cfg vars.\r\n73\r\n74\r\nvm32.dll\r\nvm64.dll\r\nSteal documents from fixed and removable drives. Watch CDBurnArea and\r\nsteals written CD images.\r\n75\r\n76\r\nwc64.dll\r\nwc32.dll\r\nPeriodically makes webcamera snapshots.\r\n77 default.cfg Default configuration settings file.\r\n78 runin.bin\r\nList of processes names and associated plugins should be run inside these\r\nprocesses.\r\n79 morph.dat Configuration file stores path of work folders and registry keys.\r\nhttps://securelist.com/project-tajmahal/90240/\r\nPage 8 of 9\n\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/project-tajmahal/90240/\r\nhttps://securelist.com/project-tajmahal/90240/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://securelist.com/project-tajmahal/90240/" ], "report_names": [ "90240" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434882, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d8e413624e7fa3028c5b4e54728e64ecc656438.pdf", "text": "https://archive.orkl.eu/8d8e413624e7fa3028c5b4e54728e64ecc656438.txt", "img": "https://archive.orkl.eu/8d8e413624e7fa3028c5b4e54728e64ecc656438.jpg" } }