{
	"id": "9ff57942-c2b7-4298-8351-1ae72ae2d473",
	"created_at": "2026-04-06T00:16:42.875113Z",
	"updated_at": "2026-04-10T03:36:33.687041Z",
	"deleted_at": null,
	"sha1_hash": "9c04a68e7ec7dcb995bf90bd920fdf35837400a3",
	"title": "MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 373905,
	"plain_text": "MQsTTang: Mustang Panda’s latest backdoor treads new ground with\r\nQt and MQTT\r\nBy Alexandre Côté Cyr\r\nArchived: 2026-04-05 16:20:33 UTC\r\nUPDATE (July 20th, 2025): Since this article was published, we have refined our definition of Mustang Panda.\r\nWe now attribute MQsTTang to CeranaKeeper. The TTPs described here align more closely with this group, and\r\nthe Github user YanNaingOo0072022 has been linked to activity we attribute to CeranaKeeper.\r\nESET researchers have analyzed MQsTTang, a new custom backdoor that we attribute to the Mustang Panda APT group.\r\nThis backdoor is part of an ongoing campaign that we can trace back to early January 2023. Unlike most of the group’s\r\nmalware, MQsTTang doesn’t seem to be based on existing families or publicly available projects.\r\nMustang Panda is known for its customized Korplug variants (also dubbed PlugX) and elaborate loading chains. In a\r\ndeparture from the group’s usual tactics, MQsTTang has only a single stage and doesn’t use any obfuscation techniques.\r\nVictimology\r\nWe have seen unknown entities in Bulgaria and Australia in our telemetry. We also have information indicating that this\r\ncampaign is targeting a governmental institution in Taiwan. However, due to the nature of the decoy filenames used, we\r\nbelieve that political and governmental organizations in Europe and Asia are also being targeted. This would also be in line\r\nwith the targeting of the group’s other recent campaigns. As documented by fellow researchers at Proofpoint, Mustang\r\nPanda has been known to target European governmental entities since at least 2020 and has increased its activity in Europe\r\neven further, since Russia’s invasion of Ukraine. Figure 1 shows our view of the targeting for this campaign.\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 1 of 10\n\nFigure 1. Map showing known and suspected targets of MQsTTang\r\nAttribution\r\nWe attribute this new backdoor and the campaign to Mustang Panda with high confidence based on the following indicators.\r\nWe found archives containing samples of MQsTTang in two GitHub repositories belonging to the user\r\nYanNaingOo0072022. Another GitHub repository of the same user was used in a previous Mustang Panda campaign\r\ndescribed by Avast in a December 2022 blogpost.\r\nOne of the servers used in the current campaign was running a publicly accessible anonymous FTP server that seems to be\r\nused to stage tools and payloads. In the /pub/god directory of this server there are multiple Korplug loaders, archives, and\r\ntools that were used in previous Mustang Panda campaigns. This is the same directory that was used by the stager described\r\nin the aforementioned Avast blogpost. This server also had a /pub/gd directory, which was another path used in that\r\ncampaign.\r\nSome of the infrastructure used in this campaign also matches the network fingerprint of previously known Mustang Panda\r\nservers.\r\nTechnical analysis\r\nMQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine and get\r\nthe output. Even so, it does present some interesting characteristics. Chief among these is its use of the MQTT protocol for\r\nC\u0026C communication. MQTT is typically used for communication between IoT devices and controllers, and the protocol\r\nhasn’t been used in many publicly documented malware families. One such example is Chrysaor, also known as Pegasus for\r\nAndroid. From an attacker’s perspective, one of MQTT’s benefits is that it hides the rest of their infrastructure behind a\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 2 of 10\n\nbroker. Thus, the compromised machine never communicates directly with the C\u0026C server. As seen in Figure 2, this\r\ncapability is achieved by using the open source QMQTT library. This library depends on the Qt framework, a large part of\r\nwhich is statically linked in the malware. Using the Qt framework for malware development is also fairly uncommon.\r\nLazarus’s MagicRAT is one of the rare recently documented examples.\r\nFigure 2. RTTI showing classes from the QMQTT library\r\nMQsTTang is distributed in RAR archives which only contain a single executable. These executables usually have names\r\nrelated to Diplomacy and passports such as:\r\nCVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exe\r\nDocuments members of delegation diplomatic from Germany.Exe\r\nPDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE\r\nNote No.18-NG-23 from Embassy of Japan.exe\r\nThese archives are hosted on a web server with no associated domain name. This fact, along with the filenames, leads us to\r\nbelieve that the malware is spread via spearphishing.\r\nSo far, we have only observed a few samples. Besides variations in some constants and hardcoded strings, the samples are\r\nremarkably similar. The only notable change is the addition of some anti-analysis techniques in the latest versions. The first\r\nof these consists of using the CreateToolhelp32Snapshot Windows API function to iterate through running processes and\r\nlook for the following known debuggers and monitoring tools.\r\ncheatengine-x86_64.exe\r\nollydbg.exe\r\nida.exe\r\nida64.exe\r\nradare2.exe\r\nx64dbg.exe\r\nprocmon.exe\r\nprocmon64.exe\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 3 of 10\n\nprocexp.exe\r\nprocesshacker.exe\r\npestudio.exe\r\nsystracerx32.exe\r\nfiddler.exe\r\ntcpview.exe\r\nNote that, while the malware is a 32-bit executable, it only checks for the presence of x64dbg and not its 32-bit counterpart,\r\nx32dbg.\r\nThe second technique uses the FindWindowW Windows API to look for the following Window Classes and Titles used by\r\nknown analysis tools:\r\nPROCMON_WINDOW_CLASS\r\nOLLYDBG\r\nWinDbgFrameClass\r\nOllyDbg - [CPU]\r\nImmunity Debugger - [CPU]\r\nWhen executed directly, the malware will launch a copy of itself with 1 as a command line argument. This is repeated by the\r\nnew process, with the argument being incremented by 1 on every run. When this argument hits specific values, certain tasks\r\nwill be executed. Note that the exact values vary between samples; the ones mentioned below correspond to the sample with\r\nSHA-1 02D95E0C369B08248BFFAAC8607BBA119D83B95B. However, the tasks themselves and the order in which they\r\nare executed is constant.\r\nFigure 3 shows an overview of this behavior along with the tasks that are executed when the malware is first run.\r\nFigure 3. Execution graph showing the subprocesses and executed tasks\r\nTable 1 contains a list of the tasks and the value at which each of them is executed. We will describe them in further detail in\r\nthe upcoming paragraphs.\r\nTable 1. Tasks executed by the backdoor\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 4 of 10\n\nTask number Argument value Task description\r\n1 5 Start C\u0026C communication.\r\n2 9 Create copy and launch.\r\n3 32 Create persistence copy.\r\n4 119 Establish persistence.\r\n5 148 Stop recursive execution.\r\nIf any analysis tool or debugger is detected using the techniques we described previously, the behavior of task 1 is altered\r\nand tasks 2, 3, and 4 are skipped entirely.\r\nTask 1: C\u0026C communication\r\nAs was previously mentioned, MQsTTang communicates with its C\u0026C server over the MQTT protocol. All observed\r\nsamples use 3.228.54.173 as broker. This server is a public broker operated by EMQX, who also happen to be the\r\nmaintainers of the QMQTT library. This could be a way to make the network traffic seem legitimate and to hide Mustang\r\nPanda’s own infrastructure. Using this public broker also provides resiliency; the service is unlikely to be taken down\r\nbecause of its many legitimate users and, even if the current C\u0026C servers are banned or taken down, Mustang Panda could\r\nspin up new ones and use the same MQTT topics without disrupting MQsTTang’s operation.\r\nHowever, this campaign could also be a test case by Mustang Panda before deciding whether to invest the time and\r\nresources to set up their own broker. This is supported by the low number of samples we’ve observed and the very simple\r\nnature of MQsTTang.\r\nAs shown in Figure 4, the malware and C\u0026C server use two MQTT topics for their communication. The first one,\r\niot/server2, is used for communication from the client to the server. The second one is used for communication from the\r\nserver to the client. It follows the format iot/v2/\u003cUnique ID\u003e where \u003cUnique ID\u003e is generated by taking the last 8 bytes, in\r\nhex form, of a UUID. If any analysis tool is detected, server2 and v2 are respectively replaced with server0 and v0. This is\r\nlikely in order to avoid tipping off defenders by entirely aborting the malware’s execution early.\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 5 of 10\n\nFigure 4. Simplified network graph of the communication between the backdoor and C\u0026C server\r\nAll communication between the server and the client uses the same encoding scheme. The MQTT message’s payload is a\r\nJSON object with a single attribute named msg. To generate the value of this attribute, the actual content is first base64\r\nencoded, then XORed with the hardcoded string nasa, and base64 encoded again. We will describe the exact format of these\r\npayloads in the relevant sections.\r\nUpon first connecting to the broker, the malware subscribes to its unique topic. Then, and every 30 seconds thereafter, the\r\nclient publishes a KeepAlive message to the server’s topic. The content of this message is a JSON object with the following\r\nformat:\r\n{\r\n \"Alive\": \"\u003cmalware’s uptime in minutes\u003e\",\r\n \"c_topic\": \"\u003cclient’s unique topic\u003e\"\r\n}\r\nWhen the server wants to issue a command, it publishes a message to the client’s unique topic. The plaintext content of this\r\nmessage is simply the command to be executed. As shown in Figure 5, the client executes the received command using\r\nQProcess::startCommand from the Qt framework. The output, obtained using QProcess::readAllStandardOutput, is then sent\r\nback in a JSON object with the following format:\r\n{\r\n \"c_topic\": \"\u003cclient’s unique topic\u003e\",\r\n \"ret\": \"\u003cCommand output\u003e\"\r\n}\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 6 of 10\n\nFigure 5. Execution of received commands using the QProcess class\r\nSince only the content of standard output is sent back, the server will not receive errors or warnings. From the server’s point\r\nof view, a failed command is thus indistinguishable from a command that simply produces no output unless some sort of\r\nredirection is performed.\r\nTasks 2 and 3: Copying the malware\r\nThe second and third tasks are fairly similar to each other. They copy the malware’s executable to a hardcoded path;\r\nc:\\users\\public\\vdump.exe and c:\\users\\public\\vcall.exe respectively. The filenames used are different for each sample, but\r\nthey are always located in the C:\\users\\public directory.\r\nIn the second task, the newly created copy is then launched with the command line argument 97.\r\nTask 4: Establishing persistence\r\nPersistence is established by the fourth task, which creates a new value qvlc set to c:\\users\\public\\vcall.exe under the\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key. This will cause the malware to be executed on\r\nstartup.\r\nWhen MQsTTang is executed on startup as c:\\users\\public\\vcall.exe, only the C\u0026C communication task is executed.\r\nConclusion\r\nThe Mustang Panda campaign described in this article is ongoing as of this writing. The victimology is unclear, but the\r\ndecoy filenames are in line with the group’s other campaigns that target European political entities.\r\nThis new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the\r\ngroup’s other malware families. However, it shows that Mustang Panda is exploring new technology stacks for its tools. It\r\nremains to be seen whether this backdoor will become a recurring part of the group’s arsenal, but it is one more example of\r\nthe group’s fast development and deployment cycle.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET\r\nThreat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\nA1C660D31518C8AFAA6973714DE30F3D576B68FC CVs Amb.rar Win32/Agent.AFBI\r\nRAR archive used\r\ndistribute MQsTT\r\nbackdoor.\r\n430C2EF474C7710345B410F49DF853BDEAFBDD78\r\nCVs Amb Officer\r\nPASSPORT Ministry\r\nOf Foreign\r\nAffairs.exe\r\nWin32/Agent.AFBI\r\nMQsTTang\r\nbackdoor.\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 7 of 10\n\nSHA-1 Filename Detection Description\r\nF1A8BF83A410B99EF0E7FDF7BA02B543B9F0E66C Documents.rar Win32/Agent.AFBI\r\nRAR archive used\r\ndistribute MQsTT\r\nbackdoor.\r\n02D95E0C369B08248BFFAAC8607BBA119D83B95B\r\nPDF_Passport and\r\nCVs of diplomatic\r\nmembers from\r\nTokyo of JAPAN.eXE\r\nWin32/Agent.AFBI\r\nMQsTTang\r\nbackdoor.\r\n0EA5D10399524C189A197A847B8108AA8070F1B1\r\nDocuments members\r\nof delegation\r\ndiplomatic from\r\nGermany.Exe\r\nWin32/Agent.AFBI\r\nMQsTTang\r\nbackdoor.\r\n982CCAF1CB84F6E44E9296C7A1DDE2CE6A09D7BB Documents.rar Win32/Agent.AFBI\r\nRAR archive used\r\ndistribute MQsTT\r\nbackdoor.\r\n740C8492DDA786E2231A46BFC422A2720DB0279A\r\n23 from Embassy of\r\nJapan.exe\r\nWin32/Agent.AFBI\r\nMQsTTang\r\nbackdoor.\r\nAB01E099872A094DC779890171A11764DE8B4360 BoomerangLib.dll Win32/Korplug.TH\r\nKnown Mustang\r\nPanda Korplug\r\nloader.\r\n61A2D34625706F17221C1110D36A435438BC0665 breakpad.dll Win32/Korplug.UB\r\nKnown Mustang\r\nPanda Korplug\r\nloader.\r\n30277F3284BCEEF0ADC5E9D45B66897FA8828BFD coreclr.dll Win32/Agent.ADMW\r\nKnown Mustang\r\nPanda Korplug\r\nloader.\r\nBEE0B741142A9C392E05E0443AAE1FA41EF512D6 HPCustPartUI.dll Win32/Korplug.UB\r\nKnown Mustang\r\nPanda Korplug\r\nloader.\r\nF6F3343F64536BF98DE7E287A7419352BF94EB93 HPCustPartUI.dll Win32/Korplug.UB\r\nKnown Mustang\r\nPanda Korplug\r\nloader.\r\nF848C4F3B9D7F3FE1DB3847370F8EEFAA9BF60F1 libcef.dll Win32/Korplug.TX\r\nKnown Mustang\r\nPanda Korplug\r\nloader.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n3.228.54.173 broker.emqx.io Amazon.com, Inc. 2020-03-26 Legitimate public MQTT broker.\r\n80.85.156[.]151 N/A Chelyabinsk-Signal LLC 2023-01-05 MQsTTang delivery server.\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 8 of 10\n\nIP Domain Hosting provider First seen Details\r\n80.85.157[.]3 N/A Chelyabinsk-Signal LLC 2023-01-16 MQsTTang delivery server.\r\n185.144.31[.]86 N/A Abuse-C Role 2023-01-22 MQsTTang delivery server.\r\nGithub repositories\r\nhttps://raw.githubusercontent[.]com/YanNaingOo0072022/14/main/Documents.rar\r\nhttps://raw.githubusercontent[.]com/YanNaingOo0072022/ee/main/CVs Amb.rar\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.003\r\nAcquire Infrastructure: Virtual\r\nPrivate Server\r\nSome servers used in the campaign are on shared\r\nhosting.\r\nT1583.004 Acquire Infrastructure: Server\r\nSome servers used in the campaign seem to be\r\nexclusive to Mustang Panda.\r\nT1587.001 Develop Capabilities: Malware\r\nMQsTTang is a custom backdoor, probably\r\ndeveloped by Mustang Panda.\r\nT1588.002 Obtain Capabilities: Tool\r\nMultiple legitimate and open- source tools,\r\nincluding psexec, ps, curl, and plink, were found\r\non the staging server.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nMQsTTang was uploaded to the web server for\r\ndistribution.\r\nT1608.002 Stage Capabilities: Upload Tool Multiple tools were uploaded to an FTP server.\r\nInitial Access T1566.002 Phishing: Spearphishing Link\r\nMQsTTang is distributed via spearphishing links\r\nto a malicious file on an attacker-controlled web\r\nserver.\r\nExecution\r\nT1106 Native API\r\nMQsTTang uses the QProcess class from the Qt\r\nframework to execute commands.\r\nT1204.002 User Execution: Malicious File\r\nMQsTTang relies on the user to execute the\r\ndownloaded malicious file.\r\nPersistence T1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nMQsTTang persists by creating a registry Run\r\nkey.\r\nDefense\r\nEvasion T1036.004\r\nMasquerading: Masquerade Task\r\nor Service\r\nIn most samples, the registry key is created with\r\nthe name qvlc. This matches the name of a\r\nlegitimate executable used by VLC.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or Location\r\nWhen creating copies, MQsTTang uses\r\nfilenames of legitimate programs.\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 9 of 10\n\nTactic ID Name Description\r\nT1480 Execution Guardrails\r\nMQsTTang checks the paths it is executed from\r\nto determine which tasks to execute.\r\nT1622 Debugger Evasion\r\nMQsTTang detects running debuggers and alters\r\nits behavior if any are found to be present.\r\nCommand and\r\nControl\r\nT1071 Application Layer Protocol\r\nMQsTTang communicates with its C\u0026C server\r\nusing the MQTT protocol.\r\nT1102.002\r\nWeb Service: Bidirectional\r\nCommunication\r\nMQsTTang uses a legitimate public MQTT\r\nbroker.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nThe content of the messages between the\r\nmalware and server is base64 encoded.\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nThe content of the messages between the\r\nmalware and server is encrypted using a\r\nrepeating XOR key.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nThe output of executed commands is sent back\r\nto the server using the same protocol.\r\nSource: https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nhttps://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/"
	],
	"report_names": [
		"mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt"
	],
	"threat_actors": [
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7e75b11d-f74c-4721-958e-f5a831ae85dc",
			"created_at": "2024-10-25T02:02:07.623446Z",
			"updated_at": "2026-04-10T02:00:04.608517Z",
			"deleted_at": null,
			"main_name": "CeranaKeeper",
			"aliases": [],
			"source_name": "ETDA:CeranaKeeper",
			"tools": [
				"ClaimLoader",
				"PUBLOAD",
				"TONEINS",
				"TONESHELL"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6daadf00-952c-408a-89be-aa490d891743",
			"created_at": "2025-08-07T02:03:24.654882Z",
			"updated_at": "2026-04-10T02:00:03.645565Z",
			"deleted_at": null,
			"main_name": "BRONZE PRESIDENT",
			"aliases": [
				"Earth Preta ",
				"HoneyMyte ",
				"Mustang Panda ",
				"Red Delta ",
				"Red Lich ",
				"Stately Taurus ",
				"TA416 ",
				"Temp.Hex ",
				"Twill Typhoon "
			],
			"source_name": "Secureworks:BRONZE PRESIDENT",
			"tools": [
				"BlueShell",
				"China Chopper",
				"Claimloader",
				"Cobalt Strike",
				"HIUPAN",
				"ORat",
				"PTSOCKET",
				"PUBLOAD",
				"PlugX",
				"RCSession",
				"TONESHELL",
				"TinyNote"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9baa7519-772a-4862-b412-6f0463691b89",
			"created_at": "2022-10-25T15:50:23.354429Z",
			"updated_at": "2026-04-10T02:00:05.310361Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Mustang Panda",
				"TA416",
				"RedDelta",
				"BRONZE PRESIDENT",
				"STATELY TAURUS",
				"FIREANT",
				"CAMARO DRAGON",
				"EARTH PRETA",
				"HIVE0154",
				"TWILL TYPHOON",
				"TANTALUM",
				"LUMINOUS MOTH",
				"UNC6384",
				"TEMP.Hex",
				"Red Lich"
			],
			"source_name": "MITRE:Mustang Panda",
			"tools": [
				"CANONSTAGER",
				"STATICPLUGIN",
				"ShadowPad",
				"TONESHELL",
				"Cobalt Strike",
				"HIUPAN",
				"Impacket",
				"SplatCloak",
				"PAKLOG",
				"Wevtutil",
				"AdFind",
				"CLAIMLOADER",
				"Mimikatz",
				"PUBLOAD",
				"StarProxy",
				"CorKLOG",
				"RCSession",
				"NBTscan",
				"PoisonIvy",
				"SplatDropper",
				"China Chopper",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eeea8091-668c-4e89-9c67-e688fd599365",
			"created_at": "2024-10-08T02:00:04.464686Z",
			"updated_at": "2026-04-10T02:00:03.723141Z",
			"deleted_at": null,
			"main_name": "CeranaKeeper",
			"aliases": [],
			"source_name": "MISPGALAXY:CeranaKeeper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ee03999-5432-4a65-a850-c543b4fefc3d",
			"created_at": "2022-10-25T16:07:23.882813Z",
			"updated_at": "2026-04-10T02:00:04.776949Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Bronze President",
				"Camaro Dragon",
				"Earth Preta",
				"G0129",
				"Hive0154",
				"HoneyMyte",
				"Mustang Panda",
				"Operation SMUGX",
				"Operation SmugX",
				"PKPLUG",
				"Red Lich",
				"Stately Taurus",
				"TEMP.Hex",
				"Twill Typhoon"
			],
			"source_name": "ETDA:Mustang Panda",
			"tools": [
				"9002 RAT",
				"AdFind",
				"Agent.dhwf",
				"Agentemis",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"ClaimLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DCSync",
				"DOPLUGS",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Farseer",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"Hdump",
				"HenBox",
				"HidraQ",
				"Hodur",
				"Homux",
				"HopperTick",
				"Hydraq",
				"Impacket",
				"Kaba",
				"Korplug",
				"LadonGo",
				"MQsTTang",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"NBTscan",
				"NetSess",
				"Netview",
				"Orat",
				"POISONPLUG.SHADOW",
				"PUBLOAD",
				"PVE Find AD Users",
				"PlugX",
				"Poison Ivy",
				"PowerView",
				"QMAGENT",
				"RCSession",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TONEINS",
				"TONESHELL",
				"TVT",
				"TeamViewer",
				"Thoper",
				"TinyNote",
				"WispRider",
				"WmiExec",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"cobeacon",
				"nbtscan",
				"nmap",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434602,
	"ts_updated_at": 1775792193,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c04a68e7ec7dcb995bf90bd920fdf35837400a3.pdf",
		"text": "https://archive.orkl.eu/9c04a68e7ec7dcb995bf90bd920fdf35837400a3.txt",
		"img": "https://archive.orkl.eu/9c04a68e7ec7dcb995bf90bd920fdf35837400a3.jpg"
	}
}