{ "id": "9c59247f-3842-4efd-87c6-dcf8f5470949", "created_at": "2026-04-06T03:37:09.240963Z", "updated_at": "2026-04-10T03:23:51.568088Z", "deleted_at": null, "sha1_hash": "93d1f8739919babe6e6c7a116a3f21af546a59bb", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 359716, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy TheNewRaikage\r\nArchived: 2026-04-06 02:51:01 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:KASPERAGENT\r\nPage 1 of 4\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:KASPERAGENT\r\nPage 2 of 4\n\n17 Subscribers\r\nBadPatch: 5 Years Old Espionage Campaign Targeting Middle East Discovered\r\nIn April 2017, in collaboration with Clearsky, Palo Alto Networks Unit 42 published an article about our research\r\ninto targeted attacks in the Middle East. In that research we discussed two new malware families we named\r\nKASPERAGENT and MICROPSIA. Since then, we have continued our research into the Command and Control\r\n(C2) infrastructure associated with KASPERAGENT and MICROPSIA. This ongoing research lead us to a new\r\nMiddle Eastern campaign. Our findings from this new campaign include C2 infrastructure, new attack methods,\r\nfour types of malware (including Android malware), a system for management of stolen victim data and some\r\ndetail of the actors. It is notable that our research has shown that this newly-identified attack campaign dates back\r\nto at least June 2012, over five years ago.\r\n55 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:KASPERAGENT\r\nPage 3 of 4\n\nBadPatch\r\nCVE: 1 | FileHash-SHA256: 150 | URL: 10 | Domain: 8 | Email: 5 | Hostname: 4\r\nIn April 2017, in collaboration with Clearsky, Palo Alto Networks Unit 42 published an article about our research\r\ninto targeted attacks in the Middle East. In that research we discussed two new malware families we named\r\nKASPERAGENT and MICROPSIA. Since then, we have continued our research into the Command and Control\r\n(C2) infrastructure associated with KASPERAGENT and MICROPSIA. This ongoing research lead us to a new\r\nMiddle Eastern campaign. Our findings from this new campaign include C2 infrastructure, new attack methods,\r\nfour types of malware (including Android malware), a system for management of stolen victim data and some\r\ndetail of the actors.\r\n374,056 Subscribers\r\n157 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:KASPERAGENT\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:KASPERAGENT\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:KASPERAGENT" ], "report_names": [ "pulses?q=tag:KASPERAGENT" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446629, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93d1f8739919babe6e6c7a116a3f21af546a59bb.pdf", "text": "https://archive.orkl.eu/93d1f8739919babe6e6c7a116a3f21af546a59bb.txt", "img": "https://archive.orkl.eu/93d1f8739919babe6e6c7a116a3f21af546a59bb.jpg" } }