{ "id": "26dc35ae-f54a-4ffc-a8d7-f15d396ba1ca", "created_at": "2026-04-06T00:18:31.25705Z", "updated_at": "2026-04-10T03:30:45.584215Z", "deleted_at": null, "sha1_hash": "8e3ce9a743cfcdffcfb90ce9621a88ae2aef8b79", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 31510, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy AlienVault\r\nArchived: 2026-04-05 18:45:16 UTC\r\nFileHash-MD5: 7 | FileHash-SHA1: 7 | FileHash-SHA256: 32 | URL: 3 | YARA: 16 | Hostname: 4\r\nUnit 42 discovered new activity that appears related to an adversary group previously called “C0d0so0” or\r\n“Codoso”. This group is well known for a widely publicized attack involving the compromise of Forbes.com, in\r\nwhich the site was used to compromise selected targets via a watering hole to a zero-day Adobe Flash exploit.\r\nCompared to other adversary groups, C0d0so0 has shown the use of more sophisticated tactics and tools and has\r\nbeen linked to leveraging zero-day exploits on numerous occasions in combination with watering hole and spear\r\nphishing attacks. In the newly discovered attack campaign, Unit 42 identified attacks targeting organizations\r\nwithin the telecommunications, high tech, education, manufacturing, and legal services industries. The attacks\r\nlikely were initially delivered via spear-phishing e-mails, or as demonstrated by C0d0so0 in the past, legitimate\r\nwebsites that had been previously compromised then used as watering holes for the selected victims.\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:C0d0so0\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:C0d0so0\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:C0d0so0" ], "report_names": [ "pulses?q=tag:C0d0so0" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434711, "ts_updated_at": 1775791845, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e3ce9a743cfcdffcfb90ce9621a88ae2aef8b79.pdf", "text": "https://archive.orkl.eu/8e3ce9a743cfcdffcfb90ce9621a88ae2aef8b79.txt", "img": "https://archive.orkl.eu/8e3ce9a743cfcdffcfb90ce9621a88ae2aef8b79.jpg" } }