{ "id": "991f62f4-6f96-45de-bfe2-17ed407dcd9c", "created_at": "2026-04-06T00:08:09.778338Z", "updated_at": "2026-04-10T13:12:21.608065Z", "deleted_at": null, "sha1_hash": "99082dea169edfd63d6d0d53e44f30226000e783", "title": "Vicious Panda: The COVID Campaign - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1754656, "plain_text": "Vicious Panda: The COVID Campaign - Check Point Research\r\nBy lotemf\r\nPublished: 2020-03-12 · Archived: 2026-04-02 12:36:40 UTC\r\nIntroduction\r\nCheck Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the\r\ncurrent Coronavirus scare, in order to deliver a previously unknown malware implant to the target.\r\nA closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group,\r\ndating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as\r\nUkraine, Russia, and Belarus.\r\nIn this report, we will provide a full analysis of the TTPs utilized throughout this campaign, the infrastructure, and the new\r\ntools we uncovered during our research, of what we believe to be a Chinese-based threat actor.\r\nLure Documents\r\nThe investigation started when we identified two suspicious RTF documents sent to the Mongolian public sector. The\r\ndocuments were written in the Mongolian language, with one of them allegedly from the Mongolian Ministry of Foreign\r\nAffairs:\r\nDocument 1: Information about the prevalence of new Coronavirus infections\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 1 of 12\n\nDocument 2: Purchases for buildings in documentary projects\r\nThese RTF files were weaponized using version 7.x of a tool named RoyalRoad (aka 8.t ).\r\nThis tool, which is commonly used by various Chinese threat actors, allows the attacker to create customized documents\r\nwith embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word.\r\nInfection Chain\r\nAfter the victim opens the specially crafted RTF document, and the Microsoft Word vulnerability is exploited, a file named\r\nintel.wll is dropped into the Word startup folder: %APPDATA%\\Microsoft\\Word\\STARTUP .\r\nThis persistence technique is often used by newer versions of the so-called RoyalRoad. Every time that Microsoft Word\r\napplication is launched, all the DLL files with a WLL extension in the Word Startup folder would launch as well, triggering\r\nthe infection chain we describe below:\r\nInfection Chain Diagram\r\nThis not only serves as a persistence technique, but also prevents the infection chain from fully “detonating” if run inside a\r\nsandbox, as a relaunch of Microsoft Word is required for the full execution of the malware.\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 2 of 12\n\nAfter it’s loaded, the malicious intel.wll DLL proceeds to download and decrypt the next stage of the infection chain,\r\nfrom one of the threat actor’s servers: 95.179.242[.]6 .\r\nThe next stage downloaded is also a DLL file, and it serves as the main loader of the malware framework developed by the\r\nattackers. It is executed using Rundll32 , and it communicates with another one of the threat actor’s C\u0026C servers\r\n( 95.179.242[.]27 ) to receive additional functionality.\r\nThe threat actor operates the C\u0026C server in a limited daily window, going online only for a few hours each day, making it\r\nharder to analyze and gain access to the advanced parts of the infection chain.\r\nAt the final stage of the infection chain, after the appropriate command is received, the malicious loader downloads and\r\ndecrypts a RAT module, also in the form of a DLL file, and loads it into memory. This plug-in like architecture might hint at\r\nthe existence of other modules, in addition to the payload we received.\r\nThe RAT module appears to be a custom and unique malware, though it also includes some rather common core capabilities,\r\nlisted below:\r\nTake a screenshot\r\nList files and directories\r\nCreate and delete directories\r\nMove and delete files\r\nDownload a file\r\nExecute a new process\r\nGet a list of all services\r\nOpen Window\r\nAt the beginning of our research, one of the attacker’s servers, which served the next stage malware, had directory listing\r\nenabled for a limited time. This allowed us to download all hosted files, as well as to gain some insight into the operation\r\ntimeline and the working hours of the attackers.\r\nOpen directory at 95.179.242[.]6\r\nEven though they were available for download, all the files on the server came encrypted.\r\nLuckily, by utilizing the same encryption scheme seen in our infection chain, we were able to decrypt most of the files\r\nstored on the server.\r\nkey = \"VkvX7CK7X7*t$x\u0026hssLR6fOyFSaKrFJKx\u0026@#AK*Fnukj@J9J40f1mKaN$nsCNKPe\"\r\nfor i in range(len(enc)):\r\ndecrypted += chr((ord(enc[i]) ^ ord(key[(i + offset) \u0026 0x3f])))\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 3 of 12\n\nkey = \"VkvX7CK7X7*t$x\u0026hssLR6fOyFSaKrFJKx\u0026@#AK*Fnukj@J9J40f1mKaN$nsCNKPe\" def decrypt(enc,offset):\r\ndecrypted = \"\" for i in range(len(enc)): decrypted += chr((ord(enc[i]) ^ ord(key[(i + offset) \u0026 0x3f]))) return decrypted\r\nkey = \"VkvX7CK7X7*t$x\u0026hssLR6fOyFSaKrFJKx\u0026@#AK*Fnukj@J9J40f1mKaN$nsCNKPe\"\r\ndef decrypt(enc,offset):\r\n decrypted = \"\"\r\n for i in range(len(enc)):\r\n decrypted += chr((ord(enc[i]) ^ ord(key[(i + offset) \u0026 0x3f])))\r\n return decrypted\r\nDecryption scheme derived from “intel.wll”\r\nThe dozen of files that we were able to decrypt can be divided into four main clusters of malware loader families. Their\r\nembedded internal names and core functionality are described below:\r\nhttp_dll.dll (Intel.wll)\r\nThe first stage loader described above. Decrypts the C\u0026C address, then downloads and\r\ndecrypts the next stage DLL, and executes it via Rundll32 .\r\nppdown.dll\r\nFunctions as downloader and decryptor for the .rar files stored on the attackers’ server. Reads\r\nan access.txt file from the server, decrypts it and splits the result into 3 parts:\r\n1) The name of the next stage to download.\r\n2) The next stage export function to call.\r\n3) The decryption key for the next stage.\r\nRundll32Templete.dll\r\nThis variant serves as loader and decryptor for next stage payload. The payload is encrypted\r\nin .sect section.\r\nMinisdllpub.dll\r\nThe second stage loader, fully described below. Loads additional DLL plugins. A similar\r\nversion of this payload, called minisdllpublog.dll, contains some additional debug printing\r\ncapabilities.\r\nPayload types found on the server\r\nConnection to other samples\r\nAfter gaining access to the additional decrypted files, we were able to hunt for similar samples.\r\nSearching for similar files by the internal names ( http_dll , Rundll32Templete and minisdllpub ), unique exported\r\nfunctions ( Engdic , WSSet and MSCheck ) and code similarities (decryption methods, communication patterns, etc.),\r\nallowed us to find more samples related to the attacker:\r\n5560644578a6bcf1ba79f380ca8bdb2f9a4b40b7 http_dll.dll\r\n207477076d069999533e0150be06a20ba74d5378 http_dll.dll\r\nb942e1d1a0b5f0e66da3aa9bbd0fb46b8e16d71d http_dll.dll\r\n9ef97f90dcdfe123ccb7d9b45e6fa9eceb2446f0 hcc_dll.dll\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 4 of 12\n\ncf5fb4017483cdf1d5eb659ebc9cd7d19588d935 Rundll32Templete.dll\r\n92de0a807cfb1a332aa0d886a6981e7dee16d621 Rundll32Templete.dll\r\ncde40c325fcf179242831a145fd918ca7288d9dc minisdllpublog.dll\r\n2426f9db2d962a444391aa3ddf75882faad0b67c IrmonSvc.dll\r\n9eda00aae384b2f9509fa48945ae820903912a90 IrmonSvc.dll\r\n2e50c075343ab20228a8c0c094722bbff71c4a2a IrmonSvc.dll\r\n2f80f51188dc9aea697868864d88925d64c26abc NWCWorkstation.dll\r\nNewly discovered related samples\r\nOne of the samples found ( 92de0a807cfb1a332aa0d886a6981e7dee16d621 ) led us to an article covering a similar initial\r\ninfection chain, which appears to be after Ukrainian targets.\r\nAnother sample ( 9ef97f90dcdfe123ccb7d9b45e6fa9eceb2446f0 ) was originally dropped by an RTF document which\r\nappears to be targeting entities in the Russian Federation, back in late 2018.\r\nInfrastructure\r\nAnalyzing the newly discovered samples introduced us to a larger part of the infrastructure utilized by the threat actor, and a\r\ncommon TTP: All the C\u0026C servers were hosted on Vultr servers and the domains were registered via the GoDaddy\r\nregistrar.\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 5 of 12\n\nInfrastructure overview\r\nAs we analyzed this campaign, in addition to the infrastructure used, we also noticed an interesting behavior by the attackers\r\nAt a certain point, the C\u0026C server 95.179.242[.]6 stopped serving the open directory listing. A few days later\r\ndw.adyboh[.]com became an open directory:\r\nOpen directory listing at dw.adyboh[.]com\r\nThis might indicate that the attackers are enabling directory listing, when one of their payload delivery servers is in active\r\nuse.\r\nAttribution\r\nFrom the malicious document perspective, we believe that the naming scheme for intel.wll – which is dropped by\r\nversion 7.x of RoyalRoad is not enough to make a clear cut attribution, as we observed the same name used by various\r\nthreat actors dropping different malware families such as Bisonal and Poison Ivy .\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 6 of 12\n\nFrom the payload perspective, on the other hand, once we found the additional related samples mentioned in the Hunting\r\nsection above, we were able to connect it to a known threat group. In the NWCWorkstation.dll sample mentioned above,\r\nwe observed a unique string as part of the logging functionality: “V09SS0lO”. This led us to an article from 2017 by Palo\r\nAlto Networks, titles Threat Actors Target Government of Belarus, which describes an attack that utilizes a RAT named\r\nBYEBY .\r\nThe article itself also connects to a previous article dating back to 2016, where the same tools were used in an attack\r\ntargeting the Mongolian government. The article also explores the connections between these attacks and previous attacks\r\nrelated to the Enfal Trojan.\r\nBy comparing the IOCs from the 2017 attack to our campaign we observed several similarities:\r\nInfrastructure Similarities \r\nThe servers from the 2017 publication were set on the same infrastructure as all the other samples found during our\r\ninvestigation, and utilize Vultr and GoDaddy services.\r\nCode Similarities\r\nWhen analyzing one of the files from the open directory ( bf9ef96b9dc8bdbc6996491d8167a8e1e63283fe ), we noticed that it\r\ndecrypts and loads a DLL named wincore.dll . By investigating this dropped file, we were able to make several\r\ncorrelations to the BYEBY sample from 2017:\r\n1. String similarity:\r\n“BYEBY” strings\r\n“wincore.dll” strings\r\n2. Function similarity – Important functions in both BYEBY and wincore.dll have almost the same implementation.\r\nOne such function is the payloads’ main thread function.\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 7 of 12\n\nMalware implementation similarities\r\n3. Global Call-Graph and X-Ref Graph – Even though some obfuscation exists in both samples, we were able to verify\r\nthat they have similar call and reference graphs, meaning that the core functionality of the executables is the same.\r\nPayload – In Depth Analysis\r\nTo recap, the second stage payload in the attack chain, is an encrypted DLL file named minisdllpub.dll . The DLL,\r\ndownloaded from 95.179.242[.]6 , is a downloader for an additional payload. In the following section, we go over its\r\nimplementation and highlight the characteristics which are unique to this payload.\r\nMinisdllpub.dll begins by creating a mutex with the name Afx:DV3ControlHost . This is a unique indicator that can later\r\nbe used to hunt for more samples in the wild. It then defines a structure of size 0x5f8 to store system and environment\r\ninformation such as the name of the running computer, IP addresses, the username, and OS Version. Next, another structure\r\nof size 0x3FC is created, this time to store pointers to loaded DLLs and API functions, as well as the command and control\r\nIP address ( 95.179.242[.]27 ) and port ( 443 ).\r\nAfter setting up these structures, the flow continues and a new thread is created. First, it fetches several lists of API\r\nfunctions, and dynamically loads them. As can be seen in the following image, each list is comprised of the name of a\r\nlibrary followed by a sequence of API functions to load from this library. Pointers to these functions are then added to the\r\nprevious structure which are used to dynamically invoke them when needed.\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 8 of 12\n\nComma-separated lists of API functions, prepended with the library name\r\nThe second stage payload then sets up HTTP or HTTPS communication, depends on several checks, and starts\r\ncommunicating with its remote control in new threads. When the server replies, it sends XOR encoded DLL to the malware,\r\nwith the key 0x51 . Minisdllpub.dll then decodes the given payload and dynamically loads the new PE to memory.\r\nWhen loaded, it searches for an export function with the name e. The malware then keeps listening to commands from the\r\nserver, and when those are received, it passes them to the \"e\" function of the newly loaded payload. By doing so, the\r\nsecond-stage is operating as a middle-man between the C\u0026C and the final payload – a remote access tool.\r\nThe malware is searching for the export function “e”, in order to invoke it\r\nAt this point, we have a unique layout of modules loaded on the victim’s computer. First, is the Minisdllpub.dll that was\r\ninitially loaded using Rundll32 by http_dll.dll ( intel.wll ) when a Microsoft Office application was executed. Next,\r\nwe have the RAT payload itself which receives its control commands not directly from the C\u0026C, but through\r\nMinisdllpub.dll that acts as a mediator.\r\nLoader execution flow\r\nInterestingly, in addition to the commands to execute, Minisdllpub.dll also passes several structures to the final payload.\r\nThe structures which were previously built and filled, are now used by the RAT to dynamically invoke API functions and\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 9 of 12\n\ndeliver data to the C\u0026C server. This unique approach of re-using function pointers that were loaded in the previous module\r\nmakes the analyzing the RAT hardly possible without having the previous stage as well.\r\nThe supported functionalities of the final payload, as well as the respective commands it receives and sends, are described in\r\nthe table in Appendix A.\r\nConclusion\r\nIn this campaign, we observed the latest iteration of what seems to be a long-running Chinese-based operation against a\r\nvariety of governments and organizations worldwide. This specific campaign leverages the COVID-19 pandemic to lure\r\nvictims to trigger the infection chain.\r\nThe attackers updated their toolset from documents with macros and older RTF exploits to the latest variation of the\r\n“RoyalRoad” RTF exploit-builder observed in the wild.\r\nThe full intention of this Chinese APT group is still a mystery, but it is clear they are here to stay and will update their tools\r\nand do whatever it takes to attract new victims to their network.\r\nCheck Point SandBlast Agent protects against this APT attack, and prevents it from the very first steps.\r\nAppendix A: RAT Module – Supported Commands\r\nCommand ID\r\n(Sent from C\u0026C)\r\nSub Command ID\r\n(Sent from C\u0026C)\r\nDescription\r\nResponse ID\r\n(Sent from Bot)\r\n0x21\r\nWrite a file to a specified path. Set the written\r\nfile’s timestamp to the timestamp of the local\r\nkernel32.dll.\r\n0x22\r\n0x23 Get contents of a file. 0x24\r\n0x25 List files in a directory. 0x26\r\n0x2E Execute command in a new thread. 0x31\r\n0x2F Execute a command. 0x30\r\n0x32 0x00 Create a directory of by a given path. 0x33\r\n0x32 0x01 Remove a directory in a given path. 0x33\r\n0x32 0x02\r\nMove a file from a given path to a given\r\ndirectory.\r\n0x33\r\n0x32 0x03 Delete a file in a given path. 0x33\r\n0x32 0x04\r\nMove a file from a given path to a given\r\ndirectory. (Same as subcommand 0x02)\r\n0x33\r\n0x34 0x07 Get a list of all the services. 0x35\r\n0x34 0x08 Execute a new process using WinExec. 0x35\r\n0x34 0x09\r\nExecute a new process. (Same as subcommand\r\n0x08)\r\n0x35\r\n0x34 0x0A Take a screenshot. 0x35\r\n0x34 0x15 Set registry key values. 0x35\r\n0x34 0x16 Download file from URL. 0x3A or 0x3B\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 10 of 12\n\n0x34 0x17\r\nDownload file from URL. (Same as\r\nsubcommand 0x16)\r\n0x3A or 0x3B\r\n0x34 0x18 Create Pipes and execute a new process. 0x3D or 0x3B\r\n0x34 0x19\r\nCreate Pipes and execute a new process (same as\r\n0x18).\r\n0x3D or 0x3B\r\n0x36\r\nCopy the file of the current process with a “.t”\r\nextension and modify the registry.\r\n0x37\r\nAppendix B: Files on the server\r\nInternal File Name SHA-1\r\nServer\r\nLocation                                                    \r\nExpo\r\nhttp_dll.dll dde7dd81eb9527b7ef99ebeefa821b11581b98e0 img\\0115\\WRql7X Engd\r\nhttp_dll.dll fc9c38718e4d2c75a8ba894352fa2b3c9348c3d7 bin\\0612wy3\\KFuGrS-code MSC\r\nppdown.dll 601a08e77ccb83ffcd4a3914286bb00e9b192cd6 bin\\0612wy3\\KFuGrS MSC\r\nppdown.dll 27a029c864bb39910304d7ff2ca1396f22aa32a2 bin\\0612wy3\\KFuGrS-ppd-bak MSC\r\nRundll32Templete.dll 8b121bc5bd9382dfdf1431987a5131576321aefb\r\nimg\\0115\\CYMi0Y-bak\r\nimg\\0115\\R7pEFv\r\nWSS\r\nRundll32Templete.dll\r\n(x64)\r\nbf9ef96b9dc8bdbc6996491d8167a8e1e63283fe bin\\test0625\\CmlN0i MSC\r\nminisdllpub.dll fcf75e7cad45099bf977fe719a8a5fc245bd66b8\r\nimg\\0115\\CYMi0Y\r\nimg\\0120\\VIdALQ\r\nimg\\1224\\AF9i1i\r\nWSS\r\nminisdllpublog.dll 0bedd80bf62417760d25ce87dea0ce9a084c163c\r\nbin\\0612wy3\\KFuGrS-www\r\nbin\\0617wy3\\LX5sG1\r\nMSC\r\ngg.dll 5eee7a65ae5b5171bf29c329683aacc7eb99ee0c bin\\0612wy3\\TTXk1U.rar MSC\r\nminisdllpub.dll 3900054580bd4155b4b72ccf7144c6188987cd31\r\nDropped by\r\n8b121bc5bd9382dfdf1431987a5131576321aefb\r\nWSS\r\nwincore.dll e7826f5d9a9b08e758224ef34e2212d7a8f1b728\r\nDropped by\r\nbf9ef96b9dc8bdbc6996491d8167a8e1e63283fe\r\nLoad\r\nAppendix C: Additional IOCs\r\nServers:\r\n95.179.242[.]6\r\n95.179.242[.]27\r\n199.247.25[.]102\r\n95.179.210[.]61\r\n95.179.156[.]97\r\ndw.adyboh[.]com\r\nwy.adyboh[.]com\r\nfeb.kkooppt[.]com\r\ncompdate.my03[.]com\r\njocoly.esvnpe[.]com\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 11 of 12\n\nbmy.hqoohoa[.]com\r\nbur.vueleslie[.]com\r\nwind.windmilldrops[.]com\r\nRTFs:\r\n234a10e432e0939820b2f40bf612eda9229db720\r\n751155c42e01837f0b17e3b8615be2a9189c997a\r\nae042ec91ac661fdc0230bdddaafdc386fb442a3\r\nd7f69f7bd7fc96d842fcac054e8768fd1ecaa88a\r\ndba2fa756263549948fac6935911c3e0d4d1fa1f\r\nDLLs:\r\n0e0b006e85e905555c90dfc0c00b306bca062e7b\r\ndde7dd81eb9527b7ef99ebeefa821b11581b98e0\r\nfc9c38718e4d2c75a8ba894352fa2b3c9348c3d7\r\n601a08e77ccb83ffcd4a3914286bb00e9b192cd6\r\n27a029c864bb39910304d7ff2ca1396f22aa32a2\r\n8b121bc5bd9382dfdf1431987a5131576321aefb\r\nbf9ef96b9dc8bdbc6996491d8167a8e1e63283fe\r\nfcf75e7cad45099bf977fe719a8a5fc245bd66b8\r\n0bedd80bf62417760d25ce87dea0ce9a084c163c\r\n5eee7a65ae5b5171bf29c329683aacc7eb99ee0c\r\n3900054580bd4155b4b72ccf7144c6188987cd31\r\ne7826f5d9a9b08e758224ef34e2212d7a8f1b728\r\na93ae61ce57db88be52593fc3f1565a442c34679\r\n5ff9ecc1184c9952a16b9941b311d1a038fcab56\r\n36e302e6751cc1a141d3a243ca19ec74bec9226a\r\n080baf77c96ee71131b8ce4b057c126686c0c696\r\nc945c9f4a56fd1057cac66fbc8b3e021974b1ec6\r\n5560644578a6bcf1ba79f380ca8bdb2f9a4b40b7\r\n207477076d069999533e0150be06a20ba74d5378\r\nb942e1d1a0b5f0e66da3aa9bbd0fb46b8e16d71d\r\n9ef97f90dcdfe123ccb7d9b45e6fa9eceb2446f0\r\ncf5fb4017483cdf1d5eb659ebc9cd7d19588d935\r\n92de0a807cfb1a332aa0d886a6981e7dee16d621\r\ncde40c325fcf179242831a145fd918ca7288d9dc\r\n2426f9db2d962a444391aa3ddf75882faad0b67c\r\n9eda00aae384b2f9509fa48945ae820903912a90\r\n2e50c075343ab20228a8c0c094722bbff71c4a2a\r\n2f80f51188dc9aea697868864d88925d64c26abc\r\nRAT:\r\n238a1d2be44b684f5fe848081ba4c3e6ff821917\r\nSource: https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign" ], "report_names": [ "vicious-panda-the-covid-campaign" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434089, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99082dea169edfd63d6d0d53e44f30226000e783.pdf", "text": "https://archive.orkl.eu/99082dea169edfd63d6d0d53e44f30226000e783.txt", "img": "https://archive.orkl.eu/99082dea169edfd63d6d0d53e44f30226000e783.jpg" } }