{ "id": "995b50c5-6b10-4fb3-975b-64c2f15993f7", "created_at": "2026-04-06T00:10:35.025351Z", "updated_at": "2026-04-10T03:34:28.214626Z", "deleted_at": null, "sha1_hash": "9a64ddc8017a55c94eb70167fe67780f178ee0ab", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 268666, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy PetrP.73\r\nArchived: 2026-04-05 18:55:23 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 1 of 19\n\nRevisiting MoonBounce: Research Notes\r\nFileHash-MD5: 1 | FileHash-SHA1: 1\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 2 of 19\n\nThe MoonBounce implant has been identified as a sophisticated UEFI firmware implant associated with the APT\r\ngroup APT41, also known as Winnti. This malware targets the Unified Extensible Firmware Interface (UEFI),\r\nenabling it to operate at a low level, essentially within the system's firmware. Once embedded, MoonBounce is\r\ncapable of surviving operating system reinstallations and can remain undetected by conventional antivirus\r\nsolutions. The primary characteristic of MoonBounce is its ability to manipulate the firmware of the device,\r\nallowing it to execute malicious payloads during the boot process, thus facilitating persistent access to the\r\ncompromised system. This UEFI implant represents a significant threat due to its potential to compromise devices\r\nat the hardware level.\r\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 3 of 19\n\nAPT41 Cyber-Espionage Campaign Targets U.S. Policy Institutions\r\nCVE: 6 | FileHash-MD5: 3 | FileHash-SHA1: 3 | FileHash-SHA256: 6\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 4 of 19\n\nIn April 2025, the advanced persistent threat group APT41, known for its ties to China, initiated a targeted cyber-espionage campaign aimed at a U.S.-based non-profit organization influential in shaping government policy and\r\nforeign relations. This operation is consistent with China's strategic interests in acquiring intelligence that allows\r\nfor better anticipation of U.S. foreign policy moves and diplomatic actions. APT41's methods in this campaign\r\nexhibited notable technical sophistication and operational discipline. The group employed tools and techniques\r\nthat mirror those used in previous campaigns, specifically referencing their affiliations with campaigns dubbed\r\nKelp (Salt Typhoon) and Space Pirates. The nature of these tactics suggests a comprehensive approach in which\r\nAPT41 utilizes overlapping strategies to maximize the efficacy of their espionage efforts.\r\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 5 of 19\n\n212 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 6 of 19\n\nMISSION2025 - APT41.\r\nCVE: 6\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 7 of 19\n\nAPT41, also known as MISSION2025, is a Chinese state-sponsored advanced persistent threat group that has been\r\nactive since at least 2012. The group is particularly focused on cyberespionage and financially motivated attacks,\r\nusing sophisticated techniques to target a wide range of industries globally. Their operations are aligned with\r\nChina's economic strategy, notably the \"Made in China 2025\" initiative, emphasizing intellectual property theft\r\nand corporate espionage.\r\n161 Subscribers\r\nAuthor Url\r\n103 Subscribers\r\nAuthor Url\r\n47 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 8 of 19\n\nRevivalStone:Winnti Group\r\nFileHash-MD5: 3 | FileHash-SHA1: 3 | FileHash-SHA256: 7 | YARA: 4\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 9 of 19\n\nWinnti Group, a group of security experts, has announced it will hold a conference on \"new puzzle\" for the next\r\ntwo years. £1.5bn..-\r\n258 Subscribers\r\nAuthor Url\r\nKiteshield Packer is Being Abused by Linux Cyber Threat Actors\r\nFileHash-MD5: 11 | FileHash-SHA1: 10 | FileHash-SHA256: 10 | URL: 1 | YARA: 1 | Hostname: 1\r\nA team of researchers from XLab has uncovered a new method of hiding malware in ELF files on Linux, and\r\ndiscovered that it is being used by cybercrime groups to evade antivirus systems.\r\n41 Subscribers\r\nAuthor Url\r\n841 Subscribers\r\nAuthor Url\r\n47 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 10 of 19\n\nThreat Intel Report - W51-2024\r\nFileHash-MD5: 13 | FileHash-SHA1: 13 | FileHash-SHA256: 16 | URL: 196 | Domain: 76 | Hostname: 79\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 11 of 19\n\nThis is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various\r\nchannels and tools. These are weekly base recommendations to all IT Administrators and CISOs to take corrective\r\nactions to upgrade their security infrastructure against newly identified threats and attacks in this week. Security is\r\na continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated\r\ntools. These details may be used as an additional layer to verify the current security posture of an organization\r\nagainst latest cyber trends.\r\n105 Subscribers\r\nAuthor Url\r\n841 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 12 of 19\n\n505 Subscribers\r\nAuthor Url\r\n841 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 13 of 19\n\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 14 of 19\n\nTest3-17 Dec\r\nFileHash-MD5: 17 | FileHash-SHA1: 1 | FileHash-SHA256: 1 | Hostname: 2\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 15 of 19\n\n258 Subscribers\r\nAuthor Url\r\nBlack and White Domination: Glutton Trojan Lurks in Mainstream PHP Frameworks\r\nFileHash-MD5: 17 | FileHash-SHA1: 1 | FileHash-SHA256: 1 | Hostname: 2\r\nThe XLab threat detection system uncovered an advanced PHP trojan named Glutton, which has been active for\r\nover a year without detection. Glutton targets both legitimate businesses and cybercriminal operations, infiltrating\r\npopular PHP frameworks like ThinkPHP and Laravel. It employs modular components for information theft,\r\nbackdoor installation, and code injection. The malware can deploy both ELF-based Winnti backdoors and PHP-based backdoors, demonstrating cross-platform capabilities. Notably, Glutton also targets black market operations\r\nby infecting their systems, potentially aiming to steal from cybercriminals themselves. The attack framework\r\noperates without leaving files on disk, making detection challenging.\r\n373,974 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 16 of 19\n\nstaging test 2\r\nFileHash-MD5: 17 | FileHash-SHA1: 1 | FileHash-SHA256: 1 | Hostname: 2\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 17 of 19\n\n258 Subscribers\r\nstaging test -f1\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 18 of 19\n\nFileHash-MD5: 17 | FileHash-SHA1: 1 | FileHash-SHA256: 1 | Hostname: 2\r\n258 Subscribers\r\nAuthor Url\r\n841 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:winnti\r\nPage 19 of 19\n\nAPT41 Cyber-Espionage https://otx.alienvault.com/browse/pulses?q=tag:winnti Campaign Targets U.S. Policy Institutions\nCVE: 6 | FileHash-MD5: 3 | FileHash-SHA1: 3 | FileHash-SHA256: 6\n Page 4 of 19 \n\nRevivalStone:Winnti Group https://otx.alienvault.com/browse/pulses?q=tag:winnti \nFileHash-MD5: 3 | FileHash-SHA1: 3 | FileHash-SHA256: 7 | YARA: 4\n Page 9 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:winnti" ], "report_names": [ "pulses?q=tag:winnti" ], "threat_actors": [ { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434235, "ts_updated_at": 1775792068, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a64ddc8017a55c94eb70167fe67780f178ee0ab.pdf", "text": "https://archive.orkl.eu/9a64ddc8017a55c94eb70167fe67780f178ee0ab.txt", "img": "https://archive.orkl.eu/9a64ddc8017a55c94eb70167fe67780f178ee0ab.jpg" } }