{ "id": "d38a18c6-439b-4a2e-8b2b-53c2ee07df95", "created_at": "2026-04-06T00:14:20.835669Z", "updated_at": "2026-04-10T13:11:59.175477Z", "deleted_at": null, "sha1_hash": "8fe6e7a6ae34bed7fb5b1eac731e0334dccddcdf", "title": "The Origins of APT 41 and ShadowPad Lineage - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1318487, "plain_text": "The Origins of APT 41 and ShadowPad Lineage - CYFIRMA\r\nArchived: 2026-04-05 18:02:52 UTC\r\nPublished On : 2022-07-13\r\nIntroduction\r\nWhen the CYFIRMA research team began its work on tracking APT41, it became apparent that there is a rich\r\nhistory to be learned first as part of any attempt to understand this APT. This history allowed us to trace the\r\nlineage of the ShadowPad modular malware kit back to the early 2000s while finding its likely exclusive use in\r\nthe current day by the reformed Chinese military. This paper will focus mainly on tracking early history,\r\nconnections, and legacies to provide useful CTI context to current-day TTPs and campaigns. While there have\r\nbeen many works published over more than a decade about individual pieces of this puzzle, to our knowledge,\r\nthere is no publicly available work covering the entire story.\r\nThere are many more names involved (see figure below for a few), but we have chosen to follow only two main\r\ncharacters for this story. Tan Dailin, known as Meigui – Wicked Rose, also translated as Withered Rose, and\r\nknown author of PlugX RAT – ‘whg’. The latter was not a permanent member of the NCPH group but played a\r\nmajor role in developing important tools leading up to the ShadowPad malware that is used today.\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 1 of 17\n\nBetween 2007 and 2008 this story is branching out in multiple directions such as Winnti or Chengdu 404\r\nconspiracy, all of which are equally fascinating. For clarity, we focused only on ShadowPad-related branches.\r\nEarly Days\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 2 of 17\n\nThe story begins in 1994 when Tan Dailin aka Rose started a hacking group with his friends that would eventually\r\nform Network Crack Program Hacker Group (NCPH) which later grew into today’s APT41. Not much is known\r\nabout the very early hacking activity of Rose or the group members. However, according to Rose’s archived blog,\r\nhe grew up very poor and learned programming from books borrowed from the school library. He did not own a\r\ncomputer and learned by writing code with pencil and paper before being able to use computers at a local “third-rate” university. There he got into hacking and met like- minded friends and it is here that his talent was later\r\ndiscovered by the PLA (People’s Liberation Army of China). According to Alan Paller’s testimony before US\r\nSenate, Rose was contacted by Sichuan Military Command Communication Department to sign up for Chengdu\r\nMilitary Command Network Attack/Defense Competition. His team won this competition, received intensive 30-\r\nday training from the state, and went on a winning streak competing against other provinces netting 20,000RMB\r\nin prize money. This is also when they reportedly received an “undisclosed” sponsor paying the group 2,000 RMB\r\na month to work on targeted attacks. After completing targeted attacks, they would receive 5,000 RMB bonuses.\r\nThat was a lot of money back in 2006 China. Allan Paller’s testimony also mentions Tan Dailin and his group\r\nstarting a company to develop hacking tools for PLA. This company was likely CNASM, through which they\r\noffered many of the tools they developed. Such contracting gigs, according to available intelligence, are in line\r\nwith the current state of the Chinese nation-state-sponsored cyber warfare program. Similar to other nations like\r\nUSA or Israel, there are several private companies contracted to support state efforts with tools and manpower in\r\ncyberspace.\r\nZero-Days\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 3 of 17\n\nIn 2006, the group gained international media notoriety through a series of 0-day exploits and attacks against\r\nvulnerabilities in MS Office products, targeting Japan, the USA, and the UK. The broader series of cyber-attacks\r\nfrom China was named Titan Rain by the US government. These attacks carried a payload of GinWui\r\nbackdoor/rootkit developed by Rose and whg. Although Titan Rain included multiple Chinese threat actors and\r\ncampaigns, Tan Dailin’s group stood above the rest with multiple 0-day exploits and precisely executed attacks.\r\nNotable modus operandi during these campaigns included carefully crafted spear-phishing emails targeted at\r\nsingle individuals and often sent out only one or two. This is a testament to a high success rate and implies stealth\r\npriority, offering another clue to espionage motivation and likely PLA contracts in place.\r\nIn 2007, Time magazine interviewed the NCPH group where they confessed to much of the above. They also ran a\r\nnow-defunct blog www.ncph.net where they openly talked about their activities. Additionally Rose himself ran a\r\npersonal blog at mghacker.com.\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 4 of 17\n\nAPT41 Days\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 5 of 17\n\nAfter 2007, all public online presence of the group and the TTPs they used started to disappear. Later, they also\r\nstarted removing old traces and tools even from their business CNASM website, which eventually disappeared\r\ntoo. All this while attacks from China increased in volume and sophistication. This makes sense and the initial\r\nwillingness to stay in the spotlight of media attention was very likely quickly realized as a big mistake by the\r\ngroup and PLA alike.\r\nSince then, activity initially traced to the NCPH group started to branch out and their TTPs overlapped with new\r\nones, researchers began to track this cluster of activity under APT41. Major confusion was caused by this nexus of\r\nactivities conducting covert espionage campaigns while simultaneously hacking for personal gain. According to\r\nthe US Department of Justice 2020 report, members of APT41 went on a decade-long cybercrime spree. This\r\nincluded hacking video games for profit, namely generating in-game items with real- world monetary value or\r\nstraight out hacking the gaming companies. Then there is Chengdu 404 racketeering conspiracy, where APT41\r\nmembers used Chengdu 404 Network Technology company as a front to hack and blackmail over 100 companies,\r\norganizations, and individuals across the world, but mainly in East and Southeast Asia. Many of these gaming\r\nindustry attacks were also linked to the Winnti group and the tool Winnti for Windows – a Remote Access Trojan\r\n(RAT).\r\nThis aligns with the hypothesis of a legitimate contracting company, led by Tan Dailin aka Rose and contracted by\r\nPLA to deliver hacking tools and conduct targeted attacks. At the same time, they were likely enjoying special\r\nprivileges to conduct cyber-attacks for personal gain as long as their victims were outside China and avoiding its\r\nallies (Russia, DPKR, Iran, etc.) since those were curiously missing from the map of their victims. And it explains\r\nthe unusual overlap of TTPs and tools like PlugX used in cutting-edge nation- state covert campaigns along with\r\nfor-profit hacking, long before the trend of using commodity malware and TTPs that we see today.\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 6 of 17\n\nShadowPad and Chinese Military Reform\r\nWhen tracking ShadowPad’s history and activities, various elements of previously used tools like PlugX or Winnti\r\nfor Windows, came together as part of one “masterpiece” modular malware kit. Using a unified, versatile\r\nframework is cost and resources effective for any organization, thereby prompting developers to focus on\r\nmaintaining and developing its capabilities further, while users can enjoy the ease of use by conducting most of\r\nthe attacks through a single tool. Assuming said users are military officers, this is invaluable in being able to train\r\nas many people as possible to conduct cyberspace operations.\r\nFurthermore, unlike PlugX, which was and still is used widely by many groups, ShadowPad appears to be\r\ndesigned for specific and limited users only. Specifically, the People’s Liberation Army Strategic Support Force\r\n(PLA SSF), founded in 2015 as part of Chinese military reform. Timelines seem to check out and ShadowPad has,\r\nthrough its encrypted plugin design and ID system, garnered robust control over how and by whom is it being\r\nused.\r\nFurthermore, while studying the web archives about NCPH and early APT41 activities, their keen interest in\r\nJapanese popular culture and video games is very apparent. Also discernible is a long history of focus on Japanese\r\ntargets since at least 2003, which later expands to other East and Southeast Asian targets, meanwhile still majorly\r\ntargeting gaming companies. Considering this valuable long-term knowledge of the local cyber-landscape with all\r\nother circumstantial evidence, it is suggested that their initial PLA SSF contractors were units (known as Tick and\r\nTeam Tonto) focusing on East Asia and Japan. This would explain ShadowPad being initially used almost\r\nexclusively on organizations in this region and by these APTs. Since then, ShadowPad was detected more widely\r\nacross the world, suggesting growing adoption across PLA SSF.\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 7 of 17\n\nGinWui/NCHP Remote Control\r\nGinWui is a name given to the “NCPH remote control” tool by western researchers and it is the first known\r\nmalware toolkit created by members of the NCPH group. It was extensively used during the 2006 0-day attacks on\r\nMS Office products and was co-developed by both Rose and whg during their NCPH days.\r\nNote: For purpose of this article names “GinWui” and “NCPH tool” are used interchangeably as they both refer to\r\nthe same software.\r\nNotable is the extensive use of the early DLL loading technique, that the group developed for GinWui. This\r\ntechnique has been gradually developed and improved and is used in its latest iterations to this day by PlugX and\r\neven ShadowPad plugins.\r\nThe group offered GinWui demo version for free on their website together with other tools that they had\r\ndeveloped. The full version was most likely available only to members and PLA which allegedly contracted its\r\ndevelopment, including version 3.0 of the tool that is formally branded as the “NCPH remote control” rootkit by\r\nthe NCPH group.\r\nThrough the magic of internet archives, we were able to find all tools offered on the group’s official CNASM\r\ncompany website.\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 8 of 17\n\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 9 of 17\n\nWhile looking at the other and older tools available on the website, it is clear that many of them were the building\r\nblocks of NCPH remote control and ended up being absorbed into it. At the end of 2005, the group consolidated\r\neverything and continued developing it as one tool for some time.\r\nEach version came with promotional screenshots and release notes.\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 10 of 17\n\nRelease notes (translated):\r\nSupport batch file breakpoint upload and download.\r\nSupport remote process and registry management\r\nSupport remote more hardware and software information o Support screenshot operation with SHELL\r\ncommand\r\nSupport … It’s better to see for yourself.\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 11 of 17\n\nRelease notes (translated):\r\nModification record\r\n2006-05-28 Release the latest version of 5.0\r\n2006-05-30 Solve the problem of 5.0 mouse funnel.\r\n2006-05-30 Solve the problem that 5.0 can’t be online, more than 10 characters domain name can not be\r\nonline.\r\nI. Technical features\r\nControlled side using DLL design method\r\nNo services on the controlled side (the controlled side does not rely on services to start, so do not add any\r\nservices)\r\nControlled side to hide files, registry, modules, port connection information\r\nThe controlled side of self-protection with guarding capabilities\r\nThe controlled side penetrates the personal firewall by injecting IE process.\r\nThe controlled side of the bounce connection, support for domain names, IP.\r\nII. Service content and console function settings\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 12 of 17\n\nFile management functions of the major categories (batch upload, download, delete, support directory,\r\nbreakpoint sequential transfer)\r\nProcess management, you can browse, take module information, terminate the process.\r\nService management, can browse, delete, stop, start specified services\r\nSHELL command, can execute any DOS command and return the result.\r\nCan lock, restart, shut down the controlled computer, can uninstall the server\r\nLogging, comprehensive operation records, as well as the ability to view the cause of failure\r\nScreenshot, camera, self-start, user, shared information, hardware and software information, etc.\r\nSupport voice prompts.\r\nRelease notes (translated):\r\nOrigins of APT41 and ShadowPad lineage\r\nFig. x GinWui/NCPH6.0.1\r\nncph6.0 Features Introduction\r\nDisk management, upload and download, process execution, support for breakpoints, support for multi-language view and use. 2) process management, view process, end this process\r\nService management, view services, start services, stop services\r\nRemote control, view screen, control screen\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 13 of 17\n\ncmdshell, command execution, imitate windows cmdshell\r\nSystem command, send message, shutdown and restart, uninstall.\r\nThis version is very stable and removes unnecessary hook hiding.\r\nThis software is only suitable for managing authorized remote computers, please do not use it for illegal activity,\r\nto prevent illegal use, do some functional restrictions. ncph will release the next version with improved ease of use\r\nand high stability, so stay tuned.\r\nAs previously noted, in 2007 all versions of the NCPH tool were removed from the website and only other older\r\ntools remained. CNASM company later continued to develop and offer other tools on their website until at least\r\n2013.\r\nSockMon – Powerful process and network monitoring utility.\r\nVirTest – Promoted as a tool for developers to test their software for antivirus detection.\r\nPM – Universal Port Mapper, remote control tool allowing for mapping internal network IPs and ports to internet-facing IPs and ports as described on their page.\r\nTranslated: Practical application, the internal network “192.168.0.100:3389” mapped to “221.10.254.92:3380”.\r\nExecute the command in “192.168.0.100”: PM -C 3389 221.10.254.92:12345\r\nExecute the command at “221.10.254.92”: PM -S 3380 12345\r\nUse remote desktop connection “221.10.254.92:3380” to control the intranet machine 192.168.0.100:3389 Port\r\n12345 is the data transit port, you can set it as you like.\r\nTranslated: The super springboard, using a combination of mapping, so that the control target machine alternates\r\nbetween the intranet and the extranet, to achieve the purpose of hiding the controller’s real address.\r\nThe final mapping is intranet (controller)-\u003epublic-\u003einternal-public-\u003einternal …. -\u003e target machine, and finally,\r\nthe most front-end intranet user becomes the scapegoat of the controller.\r\nIt is very clear that this company was not developing the usual admin and dev utilities even after removing\r\nGinWui/NCPH Tool rootkits. And with high confidence, we can say that they were used in developing PlugX.\r\nPlugX\r\nKnown and active since 2008, this malware was extensively analyzed by researchers over the years in multiple\r\nindependent papers. It is still an active malware framework and as its name suggests, it is a modular backdoor\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 14 of 17\n\nwith a plethora of available plugins to modify it according to the attackers’ needs. The same modular design gave\r\nPlugX over decade-long longevity.\r\nThere are a few direct links of PlugX to its predecessor GinWui and NCPH members. Number one is utilizing an\r\nimproved DLL loading technique previously used in GinWui. The group has been observed changing this\r\ntechnique to avoid detection over the years. For example, in 2015 it was using a legitimate Samsung application\r\nfor DLL side-loading.\r\nAnother conclusive link to whg was hidden directly in the early PlugX samples, specifically in file paths after\r\ndebugging:\r\nC:\\Users\\whg\\Desktop\\* C:\\Documents and Settings\\whg\\*\r\nIf the username whg in the file path was not enough, the same was observed in other tools SockMon and\r\nWHGSniff available on the CNASM website. As noted, SockMon was actively developed and available at least\r\nuntil 2012 specifically by whg himself.\r\nSockMon appears to absorb WHGSniff later on and according to the creators’ own description of the old 2005\r\nversion, it was used to develop other “network applications”.\r\nTranslated: “We developed SOCKMON as a monitoring tool initially to improve our own efficiency in designing\r\nnetwork applications, but eventually we found that people in network programming needed it, so we made it a\r\nshareware.”\r\nOver the years two major pain points of the old design and distribution of PlugX became apparent. The design\r\nflaw was the inability to switch plugins during runtime, thereby severely limiting its agility and unnecessarily\r\nprolonging time spent getting a foothold in the victim network, risking detection.\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 15 of 17\n\nAnother problem was its wide distribution among Chinese threat actors, resulting in high detection rates and\r\nsusceptibility to defensive measures, which severely hindered the malware’s ability to carry out covert espionage\r\ncampaigns. On the technical side of the distribution, authors/operators had limited to no control over the usage of\r\nthis PlugX framework and its plugins. If anyone was able to get their hands on the binaries, they were able to start\r\nusing them with all plugins without paying or restrictions. We believe those were the main reasons to develop a\r\nnew version, which addressed these issues and that’s exactly what ShadowPad did.\r\nShadowPad\r\nUsed at least since 2017, it is a direct descendant of PlugX, as conclusively proven by researchers. In a nutshell,\r\nearly ShadowPad did not change much the TTPs used by PlugX and its plugins. It was instead addressing issues\r\nconcerning agility, distribution, and usage control as faced by PlugX. They were both nearly identical modular\r\nmalware toolkits when ShadowPad first appeared. Even today, ShadowPad samples are still using the time-proven, albeit improved, DLL loading technique. It is a common thread ever since the first known version of\r\nGinWui was discovered during the 2006 MS-Office 0-day attacks. What set it really apart was switching plugins\r\nduring runtime capability, which had changed the attack patterns.\r\nEventually, few researchers were able to analyze mistakenly published early samples of ShadowPad and\r\ndiscovered ID strings. Each of these samples had different and limited configurations or capabilities – several\r\nplugins, based on specific IDs, etc. Furthermore, these plugins are packed in a proprietary format. Also, they are\r\nencrypted with a custom algorithm and decrypted in memory, meaning if it gets into unauthorized hands, it will be\r\nseverely limited.\r\nThis feature allows very tight control of ShadowPad which provides for substantially better monetization. At the\r\nsame time, it is very much in line with what the military would desire in the modern hacking toolkit.\r\nConclusion And Summary\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 16 of 17\n\nVarious research papers offer slightly different stories about ShadowPad and APT41. Even CYFIRMA’s own\r\nresearch cannot offer conclusive attribution due to countless TTP overlaps between multiple threat actors that are\r\nmore or less loosely affiliated with Dan Tailin. Some hacking for personal gain, some stealing secrets for the state,\r\nand some indulging in both, thereby effectively muddying the waters to the point where we will likely never know\r\nthe definitive and complete story. Following the facts from US government investigation reports and proven links,\r\nwe can paint a somewhat clear picture of who the threat actors are, what are their motivations, and where they\r\ncame from.\r\nN.C.P.H. was a group of hackers led by Tan Dailin who met at University and were entirely motivated by passion\r\nand bragging rights among peers. Later, after being scouted by the local military branch at a young age, they\r\nreceived state-sponsored training and were nurtured into highly skilled professionals that we know today as\r\nAPT41.\r\nCNASM – a private company developing hacking tools for PLA that started in the early 2000s – was founded by\r\nTan Dailin and where whg is known to have crafted multiple malicious programs. The perpetrators here were still\r\nlargely motivated by passion and bragging rights, including publicly boasting about their exploits. That eventually\r\nchanged around 2007, when after conducting campaigns for PLA, the group’s old public posts started to disappear.\r\nAPT41 today is most likely a private company, possibly rebranded CNASM, or multiple companies created by\r\nemployees of former CNASM. Contracted by PLA and later PLA SSF to develop cyber tools for military\r\npurposes. And, at least in the early days, also contracted to conduct campaigns on behalf of the military. At the\r\nsame time company employees and affiliates were allowed to conduct attacks for personal gain as long as it was\r\nnot targeting China and its allies. Herein was a clear switch from passion to money-motivated cybercrime along\r\nwith covert operations for the state.\r\nGinWui/NCPH tool is the first known toolkit developed by CNASM. Notable for introducing signature DLL\r\nloading technique and using 0-day MS Office exploits during 2006 attacks on Japanese and US targets.\r\nPlugX is a widely adopted and versatile modular malware toolkit used for state-sponsored espionage as well as in\r\nprivate hacking by various Chinese threat actors. The malware was notable for its plugin design and has been\r\nproven to be developed by whg.\r\nShadowPad is the latest modular malware toolkit developed by APT41 most likely directly for PLA SSF after the\r\n2015 PLA reforms. It addresses many flaws noticed in PlugX and consequently, since its first appearance, it\r\nappears to be more widely adopted by state-sponsored actors.\r\nSource: https://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nhttps://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/\r\nPage 17 of 17\n\n https://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/ \nBetween 2007 and 2008 this story is branching out in multiple directions such as Winnti or Chengdu 404\nconspiracy, all of which are equally fascinating. For clarity, we focused only on ShadowPad-related branches.\nEarly Days \n Page 2 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/" ], "report_names": [ "the-origins-of-apt-41-and-shadowpad-lineage" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434460, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8fe6e7a6ae34bed7fb5b1eac731e0334dccddcdf.pdf", "text": "https://archive.orkl.eu/8fe6e7a6ae34bed7fb5b1eac731e0334dccddcdf.txt", "img": "https://archive.orkl.eu/8fe6e7a6ae34bed7fb5b1eac731e0334dccddcdf.jpg" } }