{ "id": "e99ee81c-241c-4b93-a7f6-ea00392911a2", "created_at": "2026-04-06T00:15:47.918605Z", "updated_at": "2026-04-10T03:37:21.710789Z", "deleted_at": null, "sha1_hash": "8e3cb1df4bfe919159e8adeff374e65f8a3d913c", "title": "HyperBro (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90341, "plain_text": "HyperBro (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 12:58:07 UTC\r\nHyperBro is a RAT that has been observed to target primarily within the gambling industries, though it has been\r\nspotted in other places as well. The malware typically consists of 3 or more components: a) a genuine loader\r\ntypically with a signed certification b) a malicious DLL loader loaded from the former component via DLL\r\nhijacking c) an encrypted and compressed blob that decrypts to a PE-based payload which has its C2 information\r\nhardcoded within.\r\n2023-07-18 ⋅ Mandiant ⋅\r\nStealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection\r\nBPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear 2022-10-18 ⋅ Intrinsec ⋅\r\nCERT Intrinsec, Intrinsec\r\nAPT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis\r\nHyperBro MimiKatz 2022-08-12 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nIron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users\r\nRshell HyperBro Earth Berberoka 2022-08-12 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nIron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (IOCs)\r\nHyperBro 2022-08-12 ⋅ Sekoia ⋅ Threat \u0026 Detection Research Team\r\nLuckyMouse uses a backdoored Electron app to target MacOS\r\nHyperBro 2022-02-07 ⋅ Cyware ⋅ Cyware\r\nAPT27 Group Targets German Organizations with HyperBro\r\nHyperBro 2022-01-26 ⋅ BleepingComputer ⋅ Sergiu Gatlan\r\nGerman govt warns of APT27 hackers backdooring business networks\r\nHyperBro 2022-01-26 ⋅ Bundesamt für Verfassungsschutz ⋅ Bundesamt für Verfassungsschutz\r\nCurrent cyber attack campaign against German business enterprises by APT27\r\nHyperBro 2021-08-10 ⋅ FireEye ⋅ Israel Research Team, U.S. Threat Intel Team\r\nUNC215: Spotlight on a Chinese Espionage Campaign in Israel\r\nHyperBro HyperSSL MimiKatz 2021-04-29 ⋅ ESET Research ⋅ Andy Garth, Daniel Chromek, Matthieu Faou, Robert Lipovsky,\r\nTony Anscombe\r\nESET Industry Report on Government: Targeted but not alone\r\nExaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy 2021-04-09 ⋅ Trend Micro ⋅ Daniel Lunghi, Kenney\r\nLu\r\nIron Tiger APT Updates Toolkit With Evolved SysUpdate Malware\r\nHyperBro HyperSSL APT27 2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare\r\nOperation StealthyTrident: corporate software under attack\r\nHyperBro PlugX Tmanger TA428 2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare\r\nOperation StealthyTrident: corporate software under attack\r\nHyperBro PlugX ShadowPad Tmanger 2020-12-09 ⋅ Avast Decoded ⋅ Igor Morgenstern, Luigino Camastra\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro\r\nPage 1 of 2\n\nAPT Group Targeting Governmental Agencies in East Asia\r\nLaZagne Albaniiutas HyperBro MimiKatz PolPo Tmanger TaskMasters 2020-12-09 ⋅ Avast Decoded ⋅ Igor Morgenstern,\r\nLuigino Camastra\r\nAPT Group Targeting Governmental Agencies in East Asia\r\nAlbaniiutas HyperBro PlugX Tmanger TA428 2020-12-09 ⋅ Avast Decoded ⋅ Igor Morgenstern, Luigino Camastra\r\nAPT Group Targeting Governmental Agencies in East Asia\r\nAlbaniiutas HyperBro PlugX PolPo Tmanger 2020-11-27 ⋅ PTSecurity ⋅ Alexey Vishnyakov, Denis Goydenko\r\nInvestigation with a twist: an accidental APT attack and averted data destruction\r\nTwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz 2020-10-30 ⋅ YouTube (Kaspersky Tech) ⋅ Kris McConkey\r\nAround the world in 80 days 4.2bn packets\r\nCobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti 2020-09-30 ⋅ Team Cymru ⋅ Jacomo Piccolini, James Shank\r\nPandamic: Emissary Pandas in the Middle East\r\nHyperBro HyperSSL 2020-06-03 ⋅ Trend Micro ⋅ Daniel Lunghi\r\nHow to perform long term monitoring of careless threat actors\r\nBBSRAT HyperBro Trochilus RAT 2020-03-25 ⋅ Team Cymru ⋅ Team Cymru\r\nHow the Iranian Cyber Security Agency Detects Emissary Panda Malware\r\nHyperBro 2020-02-18 ⋅ Trend Micro ⋅ Cedric Pernet, Daniel Lunghi, Jamz Yaneza, Kenney Lu\r\nUncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations\r\nCobalt Strike HyperBro PlugX Trochilus RAT Operation DRBControl 2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo\r\nChen, Zero Chen\r\nCLAMBLING - A New Backdoor Base On Dropbox\r\nHyperBro PlugX 2020-01-01 ⋅ FireEye ⋅ Mandiant, Mitchell Clarke, Tom Hall\r\nMandiant IR Grab Bag of Attacker Activity\r\nTwoFace CHINACHOPPER HyperBro HyperSSL 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE UNION\r\n9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell\r\nAPT27 2019-06-13 ⋅ ae CERT ⋅ ae CERT\r\nAdvanced Notification of Cyber Threats against Family of Malware Giving Remote Access to Computers\r\nHyperBro HyperSSL 2019-02-27 ⋅ Secureworks ⋅ CTU Research Team\r\nA Peek into BRONZE UNION’s Toolbox\r\nGhost RAT HyperBro ZXShell 2018-06-13 ⋅ Kaspersky Labs ⋅ Denis Legezo\r\nLuckyMouse hits national data center to organize country-level waterholing campaign\r\nHyperBro APT27\r\n[TLP:WHITE] win_hyperbro_auto (20251219 | Detects win.hyperbro.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro" ], "report_names": [ "win.hyperbro" ], "threat_actors": [ { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "ed4c7e37-461f-40f1-ad43-6ad7e21b32bc", "created_at": "2022-10-25T16:07:24.303712Z", "updated_at": "2026-04-10T02:00:04.929134Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [], "source_name": "ETDA:TaskMasters", "tools": [ "404-Input-shell web shell", "ASPXSpy", "ASPXTool", "AtNow", "DbxDump Utility", "HTran", "HUC Packet Transmit Tool", "Mimikatz", "NBTscan", "PortScan", "ProcDump", "PsExec", "PsList", "RemShell", "RemShell Downloader", "gsecdump", "jsp File browser", "nbtscan", "pwdump", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "69cba9ab-de35-4103-a699-7d243bcfd196", "created_at": "2023-01-06T13:46:39.159472Z", "updated_at": "2026-04-10T02:00:03.233731Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "MISPGALAXY:XDSpy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "274f04ff-fae8-4e90-bcf5-3e391a860cd5", "created_at": "2023-12-08T02:00:05.75114Z", "updated_at": "2026-04-10T02:00:03.493837Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "MISPGALAXY:UNC215", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "4ae78ca3-8bc8-4d67-9df1-a85df250a8a0", "created_at": "2024-10-08T02:00:04.469211Z", "updated_at": "2026-04-10T02:00:03.726781Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [ "BlueTraveller" ], "source_name": "MISPGALAXY:TaskMasters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d69b3831-de95-42c9-b4b6-26232627206f", "created_at": "2022-10-25T16:07:24.429466Z", "updated_at": "2026-04-10T02:00:04.985102Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "ETDA:XDSpy", "tools": [ "ChromePass", "IE PassView", "MailPassView", "Network Password Recovery", "OperaPassView", "PasswordFox", "Protected Storage PassView", "XDDown", "XDList", "XDLoc", "XDMonitor", "XDPass", "XDRecon", "XDUpload" ], "source_id": "ETDA", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "ea34919f-9093-4e34-b9de-a37ab9b4d5c4", "created_at": "2022-10-25T16:07:24.35727Z", "updated_at": "2026-04-10T02:00:04.952883Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "ETDA:UNC215", "tools": [ "AdFind", "CHINACHOPPER", "China Chopper", "FOCUSFJORD", "HighShell", "HyperBro", "HyperSSL", "HyperShell", "Mimikatz", "NBTscan", "ProcDump", "PsExec", "SEASHARPEE", "SinoChopper", "SysUpdate", "TwoFace", "WHEATSCAN", "WinRAR", "certutil", "certutil.exe", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434547, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e3cb1df4bfe919159e8adeff374e65f8a3d913c.pdf", "text": "https://archive.orkl.eu/8e3cb1df4bfe919159e8adeff374e65f8a3d913c.txt", "img": "https://archive.orkl.eu/8e3cb1df4bfe919159e8adeff374e65f8a3d913c.jpg" } }