{
	"id": "aa024f76-6638-49cd-b94d-3af76d153aa4",
	"created_at": "2026-04-06T00:16:56.360174Z",
	"updated_at": "2026-04-10T13:13:04.323746Z",
	"deleted_at": null,
	"sha1_hash": "a025cb6fa350be59a612965acd524522c1adf742",
	"title": "Cyber Operations Tracker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34876,
	"plain_text": "Cyber Operations Tracker\r\nArchived: 2026-04-05 16:19:33 UTC\r\nCyber Operations Home\r\nWinnti Umbrella\r\nDate of report\r\nMay 2018\r\nAffiliations\r\nAxiom\r\nThis threat actor targets software companies and political organizations in the United States, China, Japan, and\r\nSouth Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese\r\nintelligence services.\r\nSuspected victims\r\nUnited States, United Kingdom, Japan, South Korea, China, Hong Kong, Universities in Hong Kong\r\nSuspected state sponsor\r\nChina\r\nType of incident\r\nEspionage\r\nTarget category\r\nPrivate sector\r\nVictim government reaction\r\nUnknown\r\nRead more\r\nhttps://www.cfr.org/cyber-operations/winnti-umbrella\r\nPage 1 of 3\n\nBurning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored\r\nAttackers\r\nhttps://www.cfr.org/cyber-operations/winnti-umbrella\r\nPage 2 of 3\n\nReport: Chinese government is behind a decade of hacks on software companies\r\nSource: https://www.cfr.org/cyber-operations/winnti-umbrella\r\nhttps://www.cfr.org/cyber-operations/winnti-umbrella\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cfr.org/cyber-operations/winnti-umbrella"
	],
	"report_names": [
		"winnti-umbrella"
	],
	"threat_actors": [
		{
			"id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d",
			"created_at": "2022-10-25T15:50:23.629983Z",
			"updated_at": "2026-04-10T02:00:05.362084Z",
			"deleted_at": null,
			"main_name": "Axiom",
			"aliases": [
				"Group 72"
			],
			"source_name": "MITRE:Axiom",
			"tools": [
				"ZxShell",
				"gh0st RAT",
				"Zox",
				"PlugX",
				"Hikit",
				"PoisonIvy",
				"Derusbi",
				"Hydraq"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5c74936a-79d1-41b8-81eb-01d03c90a26b",
			"created_at": "2022-10-25T16:07:23.371052Z",
			"updated_at": "2026-04-10T02:00:04.570621Z",
			"deleted_at": null,
			"main_name": "Axiom",
			"aliases": [
				"G0001",
				"Group 72",
				"Operation SMN"
			],
			"source_name": "ETDA:Axiom",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"BlackCoffee",
				"BleDoor",
				"Chymine",
				"Darkmoon",
				"DeputyDog",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Fexel",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Gresim",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PNGRAT",
				"PlugX",
				"Poison Ivy",
				"RbDoor",
				"RedDelta",
				"RibDoor",
				"Roarur",
				"SPIVY",
				"Sensocode",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Winnti",
				"Xamtrav",
				"ZXShell",
				"Zox",
				"ZoxPNG",
				"ZoxRPC",
				"gresim",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434616,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a025cb6fa350be59a612965acd524522c1adf742.pdf",
		"text": "https://archive.orkl.eu/a025cb6fa350be59a612965acd524522c1adf742.txt",
		"img": "https://archive.orkl.eu/a025cb6fa350be59a612965acd524522c1adf742.jpg"
	}
}