{ "id": "f74c4634-fc1e-43e6-b424-96ae641bc7b7", "created_at": "2026-04-06T00:11:48.777059Z", "updated_at": "2026-04-10T03:36:48.311476Z", "deleted_at": null, "sha1_hash": "9ce0dd3aec50b9b1fcfcaa6da77bf6ebc40538f3", "title": "Updated Shadowpad Malware Leads to Ransomware Deployment", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 588464, "plain_text": "Updated Shadowpad Malware Leads to Ransomware Deployment\r\nBy By: Daniel Lunghi Feb 20, 2025 Read time: 10 min (2782 words)\r\nPublished: 2025-02-20 · Archived: 2026-04-02 11:09:39 UTC\r\nKey Takeaways\r\nTwo recent incident response cases in Europe involved Shadowpad, a malware family connected to various Chinese\r\nthreat actors. Our research suggested that this malware family had targeted at least 21 companies across 15 countries\r\nin Europe, the Middle East, Asia, and South America.\r\nUnusually, in some of these incidents the threat actor deployed ransomware from an unreported family in these\r\nattacks.\r\nThe threat actors gained access through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication mechanisms.\r\nIn November 2024, we had two incident response cases in Europe with similar C\u0026C servers and other TTPs, suggesting a\r\nsingle threat actor behind both operations. Both incidents involved Shadowpad, a malware family that has been used by\r\nmultiple advanced Chinese threat actors to perform espionage.\r\nHunting for similar TTPs, we found a total of 21 companies being targeted with similar malware toolkit in the last 7 months.\r\nNine of them in Europe, eight in Asia, three in the Middle East, and one in South America. We found eight different\r\nindustries being affected, with more than half of the targets being in the Manufacturing industry. They are listed in the\r\nVictimology section.\r\nIn two cases, the threat actor deployed a ransomware of a previously unreported family. This is an uncommon move for\r\nthreat actors using Shadowpad, although it has been reported that APT41 used Encryptor RaaSopen on a new tab. We don’t\r\nknow why our threat actor deployed the ransomware only for some of the targets we found.\r\nInfection vector\r\nIn both incidents we investigated, the threat actor initially compromised the target via a remote network attack. They\r\naccessed the victim’s network after connecting to the VPN using an administrative account with a weak password. In one\r\ncase, the threat actor bypassed a certificate-based multi-factor authentication mechanism by unknown means, possibly by\r\nobtaining a valid certificate prior to the compromise. In the other case, there was no multi-factor authentication and there are\r\ntraces of brute-force attacks, but we cannot confirm this is related to the successful connection of the threat actor.\r\nAfter gaining access to the internal network, and armed with administrative privileges, the threat actor deployed the\r\nShadowpad malware, sometimes in the domain controller.\r\nKnowledge of the updating approaches and the targeting of actors of this caliber are critical for companies that may consider\r\nthemselves of interest to such adversaries. Given the usage of ransomware, and likely interest in some level of intellectual\r\nproperty theft - we recommend that those in the Manufacturing industry in particular leverage their security platform\r\nproviders to sweep for indicators of this campaign.\r\nVictimology\r\nWe found 21 companies being targeted by this threat actor, in 15 different countries and 9 different industries.\r\nhttps://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html\r\nPage 1 of 7\n\nFigure 1. Map of targeted countries\r\nAffected industry Number of targets\r\nManufacturing 11\r\nTransportation 2\r\nPublishing 2\r\nEnergy 1\r\nPharmacy 1\r\nBanking 1\r\nMining 1\r\nEducation 1\r\nEntertainment 1\r\nWe don’t know the ultimate goal of the threat actor. However, it is possible that some of this targeting is related to\r\nintellectual property theft. Additionally, we are aware of some cases where the threat actor deployed a ransomware family. In\r\nboth incidents, we observed the dumping of Active Directory information and the creation of RAR archives, which were\r\nlater deleted.\r\nMalware toolkit\r\nShadowpad\r\nShadowpad is a modular malware family discovered in 2017open on a new tab in a supply chain attack against the\r\nNetSarang software. It has been attributedopen on a new tab to the Chinese threat actor APT41, before being shared among\r\nmultiple Chinese threat actors in 2019. We have monitored multiple groups related to APT41, such as Earth Baku, Earth\r\nLongzhi, Earth Freybug.\r\nIt has plugins for typical espionage features such as keylogging, screenshot grabbing, and file retrieval. The code is\r\nobfuscated by a custom algorithm and only decoded in memory. The obfuscation saw a major changeopen on a new tab in\r\nlate 2020, with Earth Lusca being the first group that we saw using such a version. In February 2022, there was a slight\r\nupdate to the obfuscation of this second version. Mandiant has recently published a detailed blogpostopen on a new tab on\r\nsuch obfuscation and how to circumvent it.\r\nThe version in this case is similar to the February 2022 version, with some additional features that have been unreported\r\nuntil now:\r\nSimple and well-known anti-debugging techniques preventing the malware from being debugged normally (more\r\ndetails in a dedicated section below)\r\nEncryption of the Shadowpad payload in the registry by using the volume serial number, which is unique to the\r\nvictim’s machine\r\nThe format of the configuration and its parsing changed, but the content remains the same (see section below)\r\nUsage of DNS over HTTPS (DoH), which results in harder monitoring of the network connections.  We no longer see\r\nthe requests to resolve the C\u0026C domain name, but only the connections to the IP address linked to such domain\r\nWhile these features are not major enhancements of the malware itself, they show that the malware is in active development\r\nand that its developers are willing to make their malware nalysis harder. We do not know if this threat actor is the only group\r\nusing this enhanced Shadowpad version. We encountered it for the first time in November 2023 targeting critical\r\ninfrastructure in India, without being able to attribute the sample at the time.\r\nUsually, Shadowpad is split into three different files:\r\nA legitimate signed executable file vulnerable to DLL side-loading\r\nA malicious DLL abusing the above vulnerability, with the purpose of decoding and loading the payload in memory\r\nA binary file containing the encoded Shadowpad payload\r\nOnce the DLL decodes and loads in memory the Shadowpad payload, it encodes it again in the registry using a key derived\r\nfrom the volume serial number, and it deletes the binary file from the filesystem. This prevents researchers that don't have\r\naccess to the victim’s registry or RAM to retrieve the final payload, especially the configuration file containing the C\u0026C.\r\nDuring our investigation, we noticed the following legitimate files being abused: Note that most of these files are several\r\nyears old as of this time:\r\nhttps://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html\r\nPage 2 of 7\n\nSHA256 Legitimate filename Side-loaded DLL Signer  \r\n9df4624f815d9b04d31d9b156f7debfd450718336eb0b75100d02cb45d47bd9a SentinelMemoryScanner.exe SentinelAgentCore.dll SentinelOn\r\n 28d78e52420906794e4059a603fa9f22d5d6e4479d91e9046a97318c83998679 Logger.exe logexts.dll\r\nMicrosoft\r\nCorporatio\r\n bdf019bc6cfb239f0beae4275246216cd8ae8116695657a324497ec96e538aac nvAppBar.exe nView64.dll\r\nNVIDIA\r\nCorporatio\r\n41128b82fa12379034b3c42bdecf8e3b435089f19a5d57726a2a784c25e9d91f FmApp.exe FmApp.dll Fortemedia\r\n c8268641aecad7bd32d20432da49bb8bfc9fe7391b92b5b06352e7f4c93bc19e U3BoostSvr64.exe\r\n\u003cexecutable\r\nfilename\u003eLOC.dll\r\nASUSTeK\r\nComputer I\r\n e06710652fa3c8b45fd0fece3b59e7614ad59a9bc0c570f4721aee3293ecd2d1 syncappw.exe syncapp.dll Botkind, In\r\n f4e8841a14aa38352692340729c3ed6909d7521dd777518f12b8bd2d15ea00c5 EPSDNLMW32.EXE\r\n\u003cexecutable\r\nfilename\u003eLOC.dll\r\nSEIKO EP\r\nCORPORA\r\n aa1233393dded792b74e334c50849c477c4b86838b32ef45d6ab0dc36b4511e3 RoboTaskBarIcon.exe roboform-x64.dll Siber Syste\r\nAnti-debugging\r\nThe developers implemented multiple techniques to detect the debugging of the malware. While those techniques are well-known, the fact that the Shadowpad code is highly obfuscated makes them more difficult to find.\r\nThe techniques are the following:\r\nChecking the third byte from the Process Environment Block (PEB) (1 if the process if being debugged, otherwise 0)\r\nChecking the value of the NtGlobalFlag field from the PEB. If the process has been created by a debugger, its value\r\nwill be 0x70, or zero otherwise\r\nRetrieving the number of CPU cycles at two different moments and compare the difference between both values. If\r\nthe number of elapsed cycles is larger than a value fixed by the developer, the malware considers it is being\r\ndebugged. This technique is performed by calling the RDTSC instruction twice and comparing the number of cycles\r\nto 10000000\r\nRetrieving the number of milliseconds that passed since the system was started by calling the GetTickCount\r\nWindows API on two different locations, and comparing the difference to a value fixed by the developer, in this case\r\n3000\r\nRetrieving the context of the current thread through GetThreadContext Windows API and check if any debug register\r\nis set\r\nChecking the value of the ProcessDebugPort field by calling NtQueryInformationProcess Windows API, which\r\nequals to 0xffffffff when the process is debugged\r\nIf any of these checks result in the detection of the debugger, the malware terminates itself.  Some of these techniques are\r\nimplemented either in the DLL loader, the payload, or both.\r\nConfiguration\r\nThe structure of the configuration changed in comparison to the structure we discussed in July 2023.\r\nhttps://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html\r\nPage 3 of 7\n\nFigure 2. Structure of configuration file\r\nThere is still a 4-bytes configuration header at the beginning (highlighted in red).\r\nNow, every item has a three-byte identifier (highlighted in yellow), and a one-byte type (highlighted in green)\r\nWe identified the following types:\r\nItem type Description\r\n0x1 One-byte value\r\n0x2 Two-bytes value\r\n0x3 Four-bytes value\r\n0x5 Encrypted bitstream\r\n0x6 Encrypted string\r\nIn the case of an encrypted string or bitstream, the item is followed by a 4-bytes length (highlighted in pink), and the\r\nencrypted data itself (highlighted in blue).\r\nThere are also items that contain a value, either one-byte (highlighted in orange), 2 bytes, 4 bytes (highlighted in brown).\r\nWe identified the following IDs:\r\nID Description\r\n0x10300 Mutex name\r\n0x10400 “campaign note”\r\n0x30100 Service name\r\n0x30200 Service display name\r\n0x30300 Service description\r\n0x30400 Registry key used for persistence\r\n0x30500 Value of the registry key used for persistence\r\n0x40100 to 0x40103 path to the process run at boot time\r\n0x40200 side-loaded DLL name\r\n0x40300 to 0x40303 path to the process where the code is injected\r\n0x40500 to 0x40503 C\u0026C\r\n0x40700 to 0x40701 DNS servers\r\nhttps://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html\r\nPage 4 of 7\n\n0x40800 to 0x40806 HTTP headers for C\u0026C communication\r\nRansomware\r\nWe found an unreported ransomware family that we believe is related to this threat actor. Although it has been reportedopen\r\non a new tab that APT41 deployed Encryptor RaaS ransomware in the past, it was described as uncommon, and we have not\r\nseen any other threat actor using an advanced malware such as Shadowpad deploying a ransomware.\r\nSimilarly to Shadowpad, the loading mechanism involves three files:\r\nLegitimate usysdiag.exe file signed by Beijing Huorong Network Technology Co., Ltd.\r\nMalicious sensapi.dll side-loaded by usysdiag.exe\r\nEncoded payload named usysdiag.dat\r\nOnce loaded in memory, the malware encrypts all files on the affected system, with the following exceptions:\r\nFiles with the following extensions: .EXE, .DLL, and .SYS\r\nFiles in the following folders: Windows, Program Files, Program files (x86), ProgramData, AppData, and Application\r\nData\r\nFor each encrypted file, the ransomware generates a random 32 bytes AES key that is used to encrypt the file. The key is\r\nthen XORed with 0x3F and encrypted with a public RSA key hardcoded in the sample. The resulting encrypted blob is\r\nappended to the encrypted file, meaning that the person with the private RSA key can decrypt the blob to retrieve the AES\r\nencryption key and decrypt the file.\r\nEvery encrypted file is renamed with the .locked extension.\r\nThen an HTML file with one of the following names is dropped into every directory containing encrypted files:\r\nlocked.html\r\nunlock_please_view_this_file.html\r\nunlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_t\r\nFigure 3. Contents of ransom note\r\nThe HTML file contains a reference to a website selling the Kodex Evil Extractor tool, which contains a ransomware feature\r\nthat has been reportedopen on a new tab in the past. The ransom note looks the same as the one displayed in the Evil\r\nExtractor documentation.\r\nHowever, the description of the algorithm from Evil Extractor documentation does not match at all what we have observed.\r\nFigure 4. Text from Evil Extractor documentation\r\nWe also found two different Evil Extractor samples in VirusTotal, verified that they were dropping an HTML file with the\r\nsame appearance, and confirmed that the behavior was totally different from our malware. It actually matched what the\r\nKodex documentation described.\r\nTherefore, we believe the threat actor copied the Kodex ransomware HTML file structure to mislead the analysts into\r\nbelieving this is the Kodex ransomware, while the ransomware family we have analyzed is totally different.\r\nhttps://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html\r\nPage 5 of 7\n\nWhatever the intents of the attackers, this part of the attack was not profitable: we have noted no transactions into any of the\r\ncryptocurrency addresses we found in these ransom notes. This indicates no victim actually paid the ransom.\r\nPost-exploitation tool\r\nCQHashDumpv2\r\nIn two cases we saw Shadowpad running a file named cq.exe with the --samdump argument. We found this file was part of\r\nthe CQToolsopen on a new tab, a penetration testing toolkit presented at BlackHat in 2019 by CQureopen on a new tab.\r\nFigure 5. Documentation of CQHashDumpv2.exe from BlackHat paper\r\nImpacket\r\nImpacket is a collection of Python classes for working with network protocols. We noticed the usage of WmiExec from the\r\nImpacket toolkit to connect to remote hosts.\r\nDumping Active Directory databases\r\nWhile we have no evidence of which tool was used (probably NTDSUtil), the threat actor created files named aaaa.dit likely\r\ncontaining the Active Directory database content that could then be used for offline password cracking.\r\nInfrastructure\r\nWe have only one domain name that has been used by Shadowpad as a C\u0026C server in both incident response investigations\r\nwe conducted. For all other Shadowpad loaders we found, we were unable to retrieve the related encoded payload and,\r\nconsequently, the associated C\u0026C information.\r\nThis domain is updata.dsqurey[.]com. By pivoting on the infrastructure, we were able to identify further IP addresses. We\r\nfound 3 additional domain names, up to 10 if we count the subdomains.\r\nSome of these domain names were linked to other Shadowpad samples, and to a blogpostopen on a new tab that mentioned\r\nsimilar TTPs to what we observed, enforcing our belief they are linked to this threat actor.\r\nThose domains are listed in the IOC section.\r\nAttribution\r\nWe did not find evidence strong enough to link this activity to older operations or to a known threat actor. We found two low\r\nconfidence links pointing towards the Teleboyi threat actor, which we will explain below.\r\nPlugX code overlap\r\nPlugX is a malware family existing since at least 2008, used in multiple targeted attacks usually by Chinese threat actors,\r\nalthough over time its usage expanded to wider type of attacks. It is believed that Shadowpad is the successor of PlugX.\r\nWe found in Virus Total a PlugX sampleopen on a new tab connecting to the bcs[.]dsqurey[.]com domain name. One of the\r\nShadowpad’s samples linked to this case connected to updata[.]dsqurey[.]com.\r\nThe PlugX sample uses a custom algorithm for string decryption.\r\nIn their JSAC presentation (slide 27), TeamT5 describe TeleBoyi custom PlugX loader as using a similar algorithm for\r\ndecryption of strings. TeamT5 also lists “Operation Harvestopen on a new tab” as being related to Teleboyi. The McUtil.dll\r\nhttps://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html\r\nPage 6 of 7\n\nPlugX loader (SHA-256: f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498) listed in Operation\r\nHarvest blogpost displays a similar string decryption algorithm. Another similarity is the PE icon of the PlugX sample,\r\nwhich is part of the icons listed by TeamT5. Based on all these findings, we assess with high confidence that this PlugX\r\nsample belongs to Teleboyi.\r\nHowever, we found out that the dsqurey[.]com domain name was initially registered on 2018-03-27, expired in late March\r\n2022, and was registered again on 2022-06-23. We don’t know if the same threat actor got his domain back, or if it was\r\nregistered by a different threat actor. We consider this link to Teleboyi as weak.\r\nInfrastructure overlap\r\nIn January 2024, 108.61.163[.]91 resolved to dscriy.chtq[.]net, a domain we link to this threat actor.\r\nIn May 2022, it resolved to sery.brushupdata[.]com, a domain name listed in Operation Harvest.\r\nWe consider this link to Teleboyi weak since there is one year and a half between both resolutions.\r\nAcknowledgments\r\nThanks to our European incident response and APT-OPS teams as well as Fernando Mercês for their help in this\r\ninvestigation.\r\nThanks to the Orange Cyberdefense CERTopen on a new tab for their information on the ransomware family.\r\nTrend Vision One™\r\nTrend Vision One™one-platform is an enterprise cybersecurity platform that simplifies security and helps enterprises detect\r\nand stop threats faster by consolidating multiple security capabilities, enabling greater command of the enterprise’s attack\r\nsurface, and providing complete visibility into its cyber risk posture. The cloud-based platform leverages AI and threat\r\nintelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk\r\ninsights, earlier threat detection, and automated risk and threat response options in a single solution.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One  customers can access a range of Intelligence Reports and Threat\r\nInsights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them\r\nto prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their\r\ntechniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks,\r\nand effectively respond to threats.\r\nUpdated Shadowpad Malware Leads to Ransomware Deployment\r\n \r\nEmerging Threats: Updated Shadowpad Malware Leads to Ransomware Deployment\r\n \r\nHunting Queries\r\nTrend Vision One Search App\r\nTrend Vision One Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post\r\nwith data in their environment.   \r\nMonitor for connections to Shadowpad C\u0026C domains\r\neventSubId:(203 OR 204 OR 301 OR 602 OR 603) AND (\\\"updata.dsqurey.com\\\")\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledproducts.\r\nIndicators Of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html\r\nhttps://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html" ], "report_names": [ "updated-shadowpad-malware-leads-to-ransomware-deployment.html" ], "threat_actors": [ { "id": "5b317799-01c0-48fa-aee2-31a738116771", "created_at": "2022-11-20T02:02:37.746719Z", "updated_at": "2026-04-10T02:00:04.561617Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "Earth Longzhi" ], "source_name": "ETDA:Earth Longzhi", "tools": [ "Agentemis", "BigpipeLoader", "Cobalt Strike", "CobaltStrike", "CroxLoader", "MultiPipeLoader", "OutLoader", "Symatic Loader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "315bd857-79cc-46f2-896f-aeb0fc576b49", "created_at": "2024-04-28T02:00:03.693599Z", "updated_at": "2026-04-10T02:00:03.62936Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [], "source_name": "MISPGALAXY:Earth Freybug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "10e4e1de-afe4-4a62-b46d-07800c801a17", "created_at": "2024-04-24T02:02:07.562188Z", "updated_at": "2026-04-10T02:00:04.560334Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [ "Earth Freybug" ], "source_name": "ETDA:Earth Freybug", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "UNAPIMON" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "d196cb29-a861-4838-b157-a31ac92c6fb1", "created_at": "2023-11-04T02:00:07.66699Z", "updated_at": "2026-04-10T02:00:03.386945Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "SnakeCharmer" ], "source_name": "MISPGALAXY:Earth Longzhi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "28ed64bd-f692-4fb4-b41e-cb8d0397bea6", "created_at": "2025-03-07T02:00:03.803851Z", "updated_at": "2026-04-10T02:00:03.833101Z", "deleted_at": null, "main_name": "Teleboyi", "aliases": [], "source_name": "MISPGALAXY:Teleboyi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "46b409af-b2ea-43b8-9223-e01d982e00ce", "created_at": "2022-10-25T16:07:23.966265Z", "updated_at": "2026-04-10T02:00:04.810937Z", "deleted_at": null, "main_name": "Operation Harvest", "aliases": [], "source_name": "ETDA:Operation Harvest", "tools": [ "Agent.dhwf", "BadPotato", "BleDoor", "Destroy RAT", "DestroyRAT", "Impacket", "Kaba", "Korplug", "Mimikatz", "NBTscan", "PlugX", "ProcDump", "PsExec", "RbDoor", "RedDelta", "RibDoor", "RottenPotato", "SMBExec", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WinRAR", "Winnti", "Xamtrav", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434308, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ce0dd3aec50b9b1fcfcaa6da77bf6ebc40538f3.pdf", "text": "https://archive.orkl.eu/9ce0dd3aec50b9b1fcfcaa6da77bf6ebc40538f3.txt", "img": "https://archive.orkl.eu/9ce0dd3aec50b9b1fcfcaa6da77bf6ebc40538f3.jpg" } }