{ "id": "b59f264f-010c-41bc-94da-b15e9c61ac93", "created_at": "2026-04-06T00:11:49.914845Z", "updated_at": "2026-04-10T03:37:32.992144Z", "deleted_at": null, "sha1_hash": "9bfd8148afed8e20705452991b5b27552058ff81", "title": "IT threat evolution Q3 2021 - RedPacket Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 226886, "plain_text": "IT threat evolution Q3 2021 - RedPacket Security\r\nBy April 2, 2026\r\nPublished: 2021-11-27 · Archived: 2026-04-05 15:01:10 UTC\r\nIT threat evolution Q3 2021\r\nIT threat evolution in Q3 2021. PC statistics\r\nIT threat evolution in Q3 2021. Mobile statistics\r\nTargeted attacks\r\nWildPressure targets macOS\r\nLast March, we reported a WildPressure campaign targeting industrial-related entities in the Middle East. While\r\ntracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a\r\ncorresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms\r\nour previous assumption that there were more last-stagers besides the C++ ones.\r\nAnother language used by WildPressure is Python. The PyInstaller module for Windows contains a script named\r\n“Guard”. Interestingly, this malware was developed for both Windows and macOS operating systems. The coding\r\nstyle, overall design and C2 communication protocol is quite recognizable across all three programming languages\r\nused by the authors.\r\nWildPressure used both virtual private servers (VPS) and compromised servers in its infrastructure, most of which\r\nwere WordPress websites.\r\nWe have very limited visibility for the samples described in our report, but our telemetry suggests that the targets\r\nin this campaign were also from the oil and gas industry.\r\nYou can view our report on the new version here, together with a video presentation of our findings.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 1 of 19\n\nLuminousMoth: sweeping attacks for the chosen few\r\nWe recently uncovered a large-scale and highly active attack against targets in Southeast Asia by a threat actor that\r\nwe call LuminousMoth. The campaign dates back to October last year and was still ongoing at the time we\r\npublished our public report in July. Most of the early sightings were in Myanmar, but it seems the threat actor is\r\nnow much more active in the Philippines. Targets include high-profile organizations: namely, government entities\r\nlocated both within those countries and abroad.\r\nMost APT threats carefully select their targets and tailor the infection vectors, implants and payloads to the\r\nvictims’ identities or environment. It’s not often we observe a large-scale attack by APT threat actors – they\r\nusually avoid such attacks because they are too ‘noisy’ and risk drawing attention to the campaign.\r\nLuminousMoth is an exception. We observed a high number of infections; although we think the campaign was\r\naimed at a few targets of interest.\r\nThe attackers obtain initial access to a system by sending a spear-phishing email to the victim containing a\r\nDropbox download link. The link leads to a RAR archive that masquerades as a Word document. The archive\r\ncontains two malicious DLL libraries as well as two legitimate executables that side-load the DLL files. We found\r\nmultiple archives like this with file names of government entities linked to Myanmar.\r\nWe also observed a second infection vector that comes into play after the first one has successfully finished. The\r\nmalware tries to spread to other hosts on the network by infecting USB drives.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 2 of 19\n\nIn addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular\r\napplication Zoom on some infected systems, enabling them to exfiltrate data.\r\nThe threat actor also deploys an additional tool that accesses a victim’s Gmail session by stealing cookies from the\r\nChrome browser.\r\nInfrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the\r\nHoneyMyte threat group, which has been seen targeting the same region using similar tools in the past.\r\nTargeted attacks exploiting CVE-2021-40444\r\nOn September 7, Microsoft reported a zero-day vulnerability (CVE-2021-40444) that could allow an attacker to\r\nexecute code remotely on vulnerable computers. The vulnerability is in MSHTML, the Internet Explorer engine.\r\nEven though few people use IE nowadays, some programs use its engine to handle web content – in particular,\r\nMicrosoft Office applications.\r\nWe have seen targeted attacks exploiting the vulnerability to target companies in research and development, the\r\nenergy sector and other major industries, banking, the medical technology sector, as well as telecoms and IT.\r\nTo exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing a URL for\r\na malicious script. If the victim opens the document, Microsoft Office downloads the script and runs it using the\r\nMSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim’s\r\ncomputer.\r\nTomiris backdoor linked to SolarWinds attack\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 3 of 19\n\nThe SolarWinds incident last December stood out because of the extreme carefulness of the attackers and the\r\nhigh-profile nature of their victims. The evidence suggests that the threat actor behind the attack, DarkHalo (aka\r\nNobelium), had spent six months inside OrionIT’s networks to perfect their attack. The following timeline sums\r\nup the different steps of the campaign.\r\nIn June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple\r\ngovernment zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers\r\nto computers under their control – probably achieved by obtaining credentials to the control panel of the victims’\r\nregistrar. When victims tried to access their corporate mail, they were redirected to a fake copy of the web\r\ninterface.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 4 of 19\n\nAfter this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris,\r\nbears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last\r\nyear. However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked\r\nto the Turla APT threat actor. None of the similarities is enough to link Tomiris and Sunshuttle with sufficient\r\nconfidence. However, taken together they suggest the possibility of common authorship or shared development\r\npractices.\r\nYou can read our analysis here.\r\nGhostEmperor\r\nEarlier this year, while investigating the rise of attacks against Exchange servers, we noticed a recurring cluster of\r\nactivity that appeared in several distinct compromised networks. We attribute the activity to a previously unknown\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 5 of 19\n\nthreat actor that we have called GhostEmperor. This cluster stood out because it used a formerly unknown\r\nWindows kernel mode rootkit that we dubbed Demodex; and a sophisticated multi-stage malware framework\r\naimed at providing remote control over the attacked servers.\r\nThe rootkit is used to hide the user mode malware’s artefacts from investigators and security solutions, while\r\ndemonstrating an interesting loading scheme involving the kernel mode component of an open-source project\r\nnamed Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism.\r\nWe identified multiple attack vectors that triggered an infection chain leading to the execution of the malware in\r\nmemory. The majority of GhostEmperor infections were deployed on public-facing servers, as many of the\r\nmalicious artefacts were installed by the httpd.exe Apache server process, the w3wp.exe IIS Windows server\r\nprocess, or the oc4j.jar Oracle server process. This means that the attackers probably abused vulnerabilities in the\r\nweb applications running on those systems, allowing them to drop and execute their files.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 6 of 19\n\nAlthough infections often start with a BAT file, in some cases the known infection chain was preceded by an\r\nearlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate Microsoft command line utility\r\n(originally called MpCmdRun.exe). The side-loaded DLL then proceeds to decode and load an additional\r\nexecutable called license.rtf. Unfortunately, we did not manage to retrieve this executable, but we saw that the\r\nconsecutive actions of loading it included the creation and execution of GhostEmperor scripts by wdichost.exe.\r\nThis toolset was in use from as early as July 2020, mainly targeting Southeast Asian entities, including\r\ngovernment agencies and telecoms companies.\r\nFinSpy: analysis of current capabilities\r\nAt the end of September, at the Kaspersky Security Analyst Summit, our researchers provided an overview of\r\nFinSpy, an infamous surveillance toolset that several NGOs have repeatedly reported being used against\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 7 of 19\n\njournalists, political dissidents and human rights activists. Our analysis included not only the Windows version of\r\nFinSpy, but also Linux and macOS versions, which share the same internal structure and features.\r\nAfter 2018, we observed falling detection rates for FinSpy for Windows. However, it never actually went away –\r\nit was simply using various first-stage implants to hide its activities. We started detecting some suspicious\r\nbackdoored installer packages (including TeamViewer, VLC Media Player and WinRAR); then in the middle of\r\n2019 we found a host that served these installers along with FinSpy Mobile implants for Android.\r\nThe authors have gone to great lengths to make FinSpy inaccessible to security researchers – it seems they have\r\nput as much work into anti-analysis and obfuscation as they have into the Trojan itself. First, the samples are\r\nprotected with multiple layers of evasion tactics.\r\nMoreover, once the Trojan has been installed, it is heavily camouflaged using four complex, custom-made\r\nobfuscators.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 8 of 19\n\nApart from Trojanized installers, we also observed infections involving use of a UEFI (Unified Extensible\r\nFirmware Interface) and MBR (Master Boot Record) bootkit. While the MBR infection has been known since at\r\nleast 2014, details on the UEFI bootkit were publicly revealed for the first time in our private report on FinSpy.\r\nThe user of a smartphone or tablet can be infected through a link in a text message. In some cases (for example, if\r\nthe victim’s iPhone has not been not jailbroken), the attacker may need physical access to the device.\r\nOther malware\r\nREvil attack on MSPs and their customers worldwide\r\nAn attack perpetrated by the REvil Ransomware-as-a-Service gang (aka Sodinokibi) targeting Managed Service\r\nProviders (MSPs) and their clients was discovered on July 2.\r\nThe attackers identified and exploited a zero-day vulnerability in the Kaseya Virtual System/Server Administrator\r\n(VSA) platform. The VSA software, used by Kaseya customers to remotely monitor and manage software and\r\nnetwork infrastructure, is supplied either as a cloud service or via on-premises VSA servers.\r\nThe exploit involved deploying a malicious dropper via a PowerShell script. The script disabled Microsoft\r\nDefender features and then used the certutil.exe utility to decode a malicious executable (agent.exe) that dropped\r\nan older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That\r\nlibrary was then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 9 of 19\n\nThe attack is estimated to have resulted in the encryption of files belonging to around 60 Kaseya customers using\r\nthe on-premises version of the platform. Many of them were MSPs who use VSA to manage the networks of other\r\nbusinesses. This MSP connection gave REvil access to those businesses, and Kaseya estimated that around 1,500\r\ndownstream businesses were affected.\r\nUsing our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time\r\nour analysis of the attack was published.\r\nWhat a [Print]Nightmare\r\nEarly in July, Microsoft published an alert about vulnerabilities in the Windows Print Spooler service. The\r\nvulnerabilities, CVE-2021-1675 and CVE-2021-34527 (aka PrintNightmare), can be used by an attacker with a\r\nregular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 10 of 19\n\nservice. This service is enabled by default on all Windows clients and servers, including domain controllers,\r\nmaking both vulnerabilities potentially very dangerous.\r\nMoreover, owing to a misunderstanding between teams of researchers, a proof-of-concept (PoC) exploit for\r\nPrintNightmare was published online. The researchers involved believed that Microsoft’s Patch Tuesday release in\r\nJune had already solved the problem, so they shared their work with the expert community. However, while\r\nMicrosoft had published a patch for CVE-2021-1675, the PrintNightmare vulnerability remained unpatched until\r\nJuly. The PoC was quickly removed, but not before it had been copied multiple times.\r\nCVE-2021-1675 is a privilege elevation vulnerability, allowing an attacker with low access privileges to craft and\r\nuse a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker\r\nalready has direct access to the vulnerable computer in question.\r\nCVE-2021-34527 is significantly more dangerous because it is a remote code execution (RCE) vulnerability,\r\nwhich means it allows remote injection of DLLs.\r\nYou can find a more detailed technical description of both vulnerabilities here.\r\nGrandoreiro and Melcoz arrests\r\nIn July, the Spanish Ministry of the Interior announced the arrest of 16 people connected to the Grandoreiro and\r\nMelcoz (aka Mekotio) cybercrime groups. Both groups are originally from Brazil and form part of the Tetrade\r\numbrella, operating for a few years now in Latin America and Western Europe.\r\nThe Grandoreiro banking Trojan malware family initially started its operations in Brazil and then expanded its\r\noperations to other Latin American countries and then to Western Europe. The group has regularly improved its\r\ntechniques; and, based on our analysis of the group’s campaigns, it operates as a malware-as-a-service\r\n(MaaS) project. Our telemetry shows that, since January 2020, Grandoreiro has mainly attacked victims in Brazil,\r\nMexico, Spain, Portugal and Turkey.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 11 of 19\n\nMelcoz had been active in Brazil since at least 2018, before expanding overseas. We observed the group attacking\r\nassets in Chile in 2018 and, more recently, in Mexico: it’s likely that there are victims in other countries too, as\r\nsome of the targeted banks have international operations. As a rule, the malware uses AutoIt or VBS scripts, added\r\ninto MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions.\r\nThe malware steals passwords from browsers and from the device’s memory, providing remote access to capture\r\ninternet banking access. It also includes a Bitcoin wallet stealing module. Our telemetry confirms that,\r\nsince January 2020, Melcoz has been actively targeting Brazil, Chile and Spain, among other countries.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 12 of 19\n\nSince both malware families are from Brazil, the individuals arrested in Spain are just operators. So, it’s likely that\r\nthe creators of Grandoreiro and Melcoz will continue to develop new malware techniques and recruit new\r\nmembers in their countries of interest.\r\nGamers beware\r\nEarlier this year, we discovered an ad in an underground forum for a piece of malware dubbed BloodyStealer by\r\nits creators. The malware is designed to steal passwords, cookies, bank card details, browser auto-fill data, device\r\ninformation, screenshots, desktop and client uTorrent files, Bethesda, Epic Games, GOG, Origin, Steam,\r\nTelegram, and VimeWorld client sessions and logs.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 13 of 19\n\nThe BloodyStealer ad (Source: https://twitter.com/3xp0rtblog)\r\nThe authors of the malware, which has hit users in Europe, Latin America and the Asia-Pacific region, have\r\nadopted a MaaS distribution model, meaning that anyone can buy it for the modest price of around $10 per month\r\n(roughly $40 for a “lifetime license”).\r\nOn top of its theft functions, the malware includes tools to thwart analysis. It sends stolen information as a ZIP\r\narchive to the C2 (command-and-control) server, which is protected against DDoS (distributed denial of service)\r\nattacks. The cybercriminals use either the (quite basic) control panel or Telegram to obtain the data, including\r\ngamer accounts.\r\nBloodyStealer is just one of many tools available on the dark web for stealing gamer accounts. Moreover,\r\nunderground forums often feature ads offering to post a malicious link on a popular website or selling tools to\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 14 of 19\n\ngenerate phishing pages automatically. Using these tools, cybercriminals can collect, and then try to monetize, a\r\nhuge amount of credentials. All kinds of offers related to gamer accounts can be found on the dark web.\r\nSo-called logs are among the most popular. These are databases containing reams of data for logging into\r\naccounts. In their ads, attackers can specify the types of data, the geography of users, the period over which the\r\nlogs were collected and other details. For example, in the screenshot below, an underground forum member offers\r\nan archive with 65,600 records, of which 9,000 are linked to users from the US, and 5,000 to residents of India,\r\nTurkey and Canada. The entire archive costs $150 (that’s about 0.2 cents per record).\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 15 of 19\n\nCybercriminals can also use compromised gaming accounts to launder money, distribute phishing links and\r\nconduct other illegal business.\r\nYou can read more about gaming threats, including BloodyStealer, here and here.\r\nTriada Trojan in WhatsApp mod\r\nNot everyone is happy with the official WhatsApp app, turning instead to modified WhatsApp clients for features\r\nthat the WhatsApp developers haven’t yet implemented in the official version. The creators of these mods often\r\nembed ads in them. However, their use of third-party ad modules can provide a mechanism for malicious code to\r\nbe slipped into the app unnoticed.\r\nThis happened recently with FMWhatsApp, a popular WhatsApp mod. In version 16.80.0 the developers used a\r\nthird-party ad module that includes the Triada Trojan (detected by Kaspersky’s mobile antivirus as\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 16 of 19\n\nTrojan.AndroidOS.Triada.ef). This Trojan performs an intermediary function. First, it collects data about the\r\nuser’s device, and then, depending on the information, it downloads one of several other Trojans. You can find a\r\ndescription of the functions that these other Trojans perform in our analysis of the infected FMWhatsApp mod.\r\nQakbot banking Trojan\r\nQakBot (aka QBot, QuackBot and Pinkslipbot) is a banking Trojan that was first discovered in 2007, and has been\r\ncontinually maintained and developed since then. It is now one of the leading banking Trojans around the globe.\r\nIts main purpose is to steal banking credentials (e.g., logins, passwords, etc.), but it has also acquired functionality\r\nallowing it to spy on financial operations, spread itself and install ransomware in order to maximize revenue from\r\ncompromised organizations.\r\nThe Trojan also includes the ability to log keystrokes, backdoor functionality, and techniques to evade detection.\r\nThe latter includes virtual environment detection, regular self-updates and cryptor/packer changes. QakBot also\r\ntries to protect itself from being analyzed and debugged by experts and automated tools. Another interesting piece\r\nof functionality is the ability to steal emails: these are later used by the attackers to send targeted emails to the\r\nvictims, with the information obtained used to lure victims into opening those emails.\r\nQakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails are delivered with\r\nMicrosoft Office documents or password-protected archives with documents attached. The documents contain\r\nmacros and victims are prompted to open the attachments with claims that they contain important information\r\n(e.g., an invoice). In some cases, the emails contain links to web pages distributing malicious documents.\r\nHowever, there is another infection vector that involves a malicious QakBot payload being transferred to the\r\nvictim’s machine via other malware on the compromised machine. The initial infection vectors may vary\r\ndepending on what the threat actors believe has the best chance of success for the targeted organization(s). It’s\r\nknown that various threat actors perform reconnaissance of target organizations beforehand to decide which\r\ninfection vector is most suitable.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 17 of 19\n\nWe analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where\r\nanonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months\r\nof 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the\r\ndetection number from January to July 2020, though the number of users affected grew by 65% – from 10,493 in\r\nthe previous year to 17,316 this year.\r\nNumber of users affected by QakBot attacks from January to July in 2020 and 2021 (download)\r\nYou can read our full analysis here.\r\nIf you like the site, please consider joining the telegram channel or supporting us on Patreon using the button\r\nbelow.\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 18 of 19\n\nSource: https://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nhttps://www.redpacketsecurity.com/it-threat-evolution-q3-2021/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.redpacketsecurity.com/it-threat-evolution-q3-2021/" ], "report_names": [ "it-threat-evolution-q3-2021" ], "threat_actors": [ { "id": "7c00086d-9535-4552-8201-1dd725e41b12", "created_at": "2023-04-26T02:03:03.128736Z", "updated_at": "2026-04-10T02:00:05.239152Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [ "LuminousMoth" ], "source_name": "MITRE:LuminousMoth", "tools": [ "PlugX", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ef437d-e8fa-4250-9a99-89a403035ad2", "created_at": "2022-10-25T16:07:24.406019Z", "updated_at": "2026-04-10T02:00:04.977275Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [ "WilePressure" ], "source_name": "ETDA:WildPressure", "tools": [ "Milum" ], "source_id": "ETDA", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "92049df8-7902-48e8-ad17-97398b923698", "created_at": "2022-10-25T16:07:23.81315Z", "updated_at": "2026-04-10T02:00:04.757082Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [], "source_name": "ETDA:LuminousMoth", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c652e4b-2f17-4e18-bd05-af12c27e76fb", "created_at": "2023-11-30T02:00:07.302263Z", "updated_at": "2026-04-10T02:00:03.485667Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [], "source_name": "MISPGALAXY:WildPressure", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434309, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9bfd8148afed8e20705452991b5b27552058ff81.pdf", "text": "https://archive.orkl.eu/9bfd8148afed8e20705452991b5b27552058ff81.txt", "img": "https://archive.orkl.eu/9bfd8148afed8e20705452991b5b27552058ff81.jpg" } }