{ "id": "46d701c8-1cc5-4c58-9a41-730fe642b927", "created_at": "2026-04-06T00:22:38.249769Z", "updated_at": "2026-04-10T03:36:06.867215Z", "deleted_at": null, "sha1_hash": "a5b18d33f92a2d419c68d98fcc5feb716b78d57e", "title": "Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 469642, "plain_text": "Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware\r\nBy By: Daniel Lunghi, Kenney Lu Apr 09, 2021 Read time: 11 min (2961 words)\r\nPublished: 2021-04-09 · Archived: 2026-04-05 12:56:37 UTC\r\nUpdate as of April 27, 2021, 7 A.M. E.T.: We've updated the \"Rootkits From a Public Repository\" section and the\r\nappendix to include a second sample.\r\nMore than a year after Operation DRBControlnews article, a campaign by a cyberespionage group that targets\r\ngambling and betting companies in Southeast Asia, we found evidence that the Iron Tiger threat actor is still\r\ninterested in the gambling industry.\r\nThis blog details how Iron Tiger threat actors have updated their toolkit with an updated SysUpdate malware\r\nvariant that now uses five files in its infection routine instead of the usual three. We also provide details on Iron\r\nTiger’s possible connections to other threat actors based on similar tactics, techniques, and procedures (TTPs)\r\nwe’ve observed.  Finally, we describe some of the rootkits that Iron Tiger is using, one of which is used to hide\r\nfiles at the kernel level, and has not been previously reported as being used by this threat actor.\r\nA Look at the Iron Tiger Threat Group\r\nIn 2019, Talent-Jump, Incopen on a new tab., a security service and system integration company, discovered\r\nseveralopen on a new tab malware variants in a gambling company during an incident response operation and\r\nsought our help for further investigation and analysis.\r\nIn 2020 and 2021, Talent-Jump found new samples for malware families that are attributed to the Iron Tiger threat\r\nactor, which is also referred to as LuckyMouse, EmissaryPanda, and APT27open on a new tab.\r\nWhile investigating Operation DRBControl in 2019, we found several connections to multiple threat actors:\r\nIron Tigeropen on a new tab, which uses the HyperBro trojan and some infrastructure links\r\nWinntiopen on a new tab, which uses the same infrastructure and code-sharing links detailed in our paper\r\nBronze Presidentopen on a new tab, a threat actor that targets non-governmental organizations (NGOs). \r\nBack in 2019, we named a malware family, which we believed was new, as “Type 2.”\r\nHowever, after the publication of our report, we learned that the Type 2 malware family described in our report\r\nwas the same as the “RCSession” malware family that Dell Secureworks describedopen on a new tab in a blog\r\nthat they published in December 2019.\r\nAfter finding multiple tools belonging to the Iron Tiger threat actor (which we now track as Earth Smilodon), it is\r\nlikely that the new malware families that we found during the Operation DRBControl investigation came from the\r\nsame threat actor.\r\nNew Version of SysUpdate Malware\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 1 of 14\n\nFigure 1. The old and new SysUpdate infection chains\r\nIn December 2020, we found a sample that we identified as one belonging to the SysUpdate malware family, also\r\nnamed Soldier, FOCUSFJORD, and HyperSSLopen on a new tab. SysUpdate was first describedopen on a new\r\ntab by the NCC Group in 2018.\r\nIn the past, SysUpdate was loaded in memory by a known method involving three files:\r\nOne legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading\r\nOne malicious DLL loaded by the legitimate file\r\nOne binary file usually containing obfuscated code, unpacked in memory by the malicious DLL\r\nAn additional executable that serves as a launcher is loaded in memory, which then loads the final SysUpdate\r\npayload. Based on our investigation, instead of the usual three files, the threat actor used five:\r\ndlpumgr32.exe, a legitimate signed file that belongs to the DESlock+ product\r\nDLPPREM32.DLL, a malicious DLL sideloaded by dlpumgr32.exe that loads and decodes\r\nDLPPREM32.bin\r\nDLPPREM32.bin, a shellcode that decompresses and loads a launcher in memory\r\ndata.res, an encrypted file decoded by the launcher and contains two SysUpdate versions: one for a 32-bit\r\narchitecture and another for a 64-bit architecture\r\nconfig.res, an encrypted file decoded by the launcher and contains the SysUpdate configuration, such as the\r\ncommand-and-control (C\u0026C) address\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 2 of 14\n\nAnalysis of the Updated Tool: The Launcher\r\nIn summary, the launcher acts as an installer — it will copy the malware to a fixed place and ensure that it runs\r\nduring the next boot of the infected host. In detail, this process involves multiple steps.\r\nThe launcher starts by instantiating the CLoadInfo object, which has the following structure:\r\nOffset Description Hardcoded values in our sample\r\n0 VTable of CLoadInfo class\r\n4 Directory to copy all files %PROGRAMDATA%\\Test\\\r\n8 Name of the legitimate executable dlpumgr32.exe\r\n12 Name of the sideloaded DLL DLPPREM32.DLL\r\n16 Name of the shellcode DLPPREM32.bin\r\n20 Name of the encrypted payload data.res\r\n24 MD5 of the encrypted payload e43e40416520dab5b4c44ac8af907078\r\n28 Name of the encrypted configuration config.res\r\n32 Name of the registry key value servTest\r\n36 Name of the service DisplayName Servdisplay\r\nTable 1. CLoadInfo object structure\r\nThe launcher’s behavior changes depending on the number of arguments passed to the executable. It’s important\r\nto highlight that the change of behavior only depends on the number of arguments, and not the content:\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 3 of 14\n\nNo argument. If there is no argument, a hardcoded directory will be created wherein all the files will be\r\ncopied. The CreationTime, LastWriteTime, and LastAccessTime will be updated according to the\r\nC:\\Windows\\system32\\kernel32.dll file and their file attributes will be set to “hidden” and “system”.\r\nWindows Management Instrumentation (WMI) will be used to run dlpumgr32.exe with arguments “-up -\r\nrun -x” and it will exit the current process.\r\nOne argument. It will skip the decoding of the configuration and persistence setup, and will perform the\r\nsame behavior as one with three arguments.\r\nThree arguments.\r\nThe launcher first decrypts the config.res file with a hardcoded Data Encryption Standard (DES)\r\nkey. It encodes it using another key and writes it to the registry key “Software\\Classes\\scConfig”\r\n(HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER hive, depending on the privileges\r\nof the process).\r\nAfter decrypting the configuration, the config.res file is deleted.\r\nDepending on the privileges of the process, the malware will add a value to the\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\Run” key, or it will create a service that runs the\r\nmalware at boot time\r\nThe launcher decrypts the data.res file with a different hardcoded DES key. The result is a file with\r\nthe following structure:\r\nSize of the 32-bit shellcode\r\n32-bit shellcode\r\nSize of the 64-bit shellcode\r\n64-bit shellcode\r\nTable 2. Structure of decrypted data.res file\r\nLastly, the launcher starts a suspended process with the command line\r\n“C:\\Windows\\system32\\svchost.exe -k LocalServices,”and injects the appropriate shellcode into it (either\r\n32- or 64-bit). It will then resume the newly created process and exit the current process.\r\nThe following diagram summarizes the launch procedure:\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 4 of 14\n\nFigure 2. The launch procedure of the updated tool\r\nThe payload itself is a new version of SysUpdate.\r\nAnalysis of the Payload\r\nThe features of the updated SysUpdate payload look similar to its previous versions. We observed that the C++\r\ncode is structured around classes, many of which have self-explanatory names. Some of these classes, such as\r\nCCompress, CIOStreamIF, or CTcpSocket, have been present in the older versions of SysUpdate and compiled\r\nnear the end of 2015.\r\nOthers have been in existence for many years, such as TPacket, SCM Client, SystemInfo, CMD5, CIOStream, and\r\nCInfo. Some of them are newer and have been developed in 2020, such as ConfigReg, CWorkQueue,\r\nWindowsEvent, and CEncoder or cudp.\r\nThe sample we’ve analyzed contained many new and unique classes that featured a particular naming convention.\r\nThe names of classes are mostly self-explanatory, and the manner in which the classes have been organized is\r\nprobably the result of a framework developed by our threat actor.\r\nSome of the classes’ names start with “H” (HControl, HSleep, and HTrans), “I” (IAgent, ITcpAgent, and\r\nIAgentListener), “T” (TCommon, TFileInfo, TFileRename, TFileUpload, TServicesInfo, TListUser, and\r\nTTransmit), “C” (CSSLAgent, CSocks5, and CTcpAgent) or “CM” (CMCapture, CMFile, CMPipeClient,\r\nCMPipeServer, CMProcess, CMServices, and CMShell).\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 5 of 14\n\nThe communication is made via a named pipe (in our case, it’s “\\\\.\\pipe\\testPipe”). Multiple features that are\r\nexpected of an espionage backdoor are present in the sample. These include a screenshot feature, file management\r\nfunctions (such as search, delete, move, upload, and download), process and services management, and command\r\nexecution.\r\nIt should be noted that we also found recent samples of the SysUpdate backdoor that do not implement these\r\n“new” classes. This suggests that different groups (or subgroups of Iron Tiger) are also using this malware family\r\nin their attacks.\r\nPandora Backdoor\r\nOn two occasions (in March and October 2020), we found a kernel rootkit that had been deployed. After analysis,\r\nit appears that this rootkit’s behavior is very similar to that of the NDISProxy driver and remote access trojan\r\n(RAT)open on a new tab. The version we found is slightly different — the driver isn’t digitally signed but instead\r\nutilizes a known exploit to bypass Windows Driver Signature Enforcement (DSE) protection and load the driver\r\ndirectly into the system.\r\nWe chose to call it “Pandora” based on the program database (PDB) path of the unpacked stage 2, which is\r\n“F:\\Pandora\\x\\drv(32-64)\\bin\\src\\drvx64.pdb.”\r\nThe rootkit has multiple stages before getting to the actual payload:\r\nStage 1\r\nGrants system privileges via Windows services \r\nUses DLL sideloading technique to evade security solutions\r\nStarts and injects code to a new svchost process to prevent tracking\r\nStage 2\r\nUtilizes a known vulnerability (CPU-Z CVE-2017-15303open on a new tab) that allows it to read and write\r\ninto physical memory and read CPU control registers to turn the DSE off. This is done in conjunction with\r\nthe Process Monitor driver (procxp152.sys), both of which are dropped upon loading the rootkit, even if\r\nthey are not originally installed in the machine.\r\nLoads \"drvx64.sys,\" a crafted Windows Presentation Foundation (WPF) driver\r\nStage 2 - Driver\r\nRegisters WPF callback and filters incoming traffic with a predefined token\r\nInjects final payload into \"lsass.exe\"\r\nStage 3 - Final Payload\r\nInstalls itself as a Windows service\r\nSets a specific keyword for communication\r\nExchanges messages and commands with the kernel driver\r\nPerforms backdoor functions\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 6 of 14\n\nEach backdoor has a different token that is encrypted in the registry. If the incoming traffic contains a token and is\r\nin the HTTP format, the backdoor will intercept the traffic and process the command. In the version that we’ve\r\nanalyzed, the installer writes the token in the registry key. We can’t trigger the backdoor without a current token,\r\nwhich makes the backdoor more difficult to find and analyze.\r\nSample Token Mutex Semaphore\r\nPandora 20200310 FHHqw@nF4Jo0vPAU180IP5h9umnd4KFi ENDnetfilter 234netfilter\r\nPandora 20201010 Qp$zo\u0026FgPBjGhm(.LGi_\u0026j~tmhMO08) ENDdsfsfs xwwadsfsfs\r\nTable 3. Pandora backdoor samples with different tokens\r\nBased on our analysis, the Pandora backdoor contains more public code repositories compared with previous\r\nversions.\r\nFeature Name Repository\r\nDriver memory\r\ninjection\r\nBlackbone https://github.com/DarthTon/Blackbone\r\nNDIS network filtering\r\ndriver\r\nWFP\r\nSample\r\n\"WDK\\Windows Filtering Platform Stream Edit\r\nSample/C++/sys/stream_callout.c”\r\nParse HTTP packets\r\nHTTP\r\nParser\r\nhttps://github.com/nodejs/http-parser\r\nTurn off DSE StryKer https://github.com/hfiref0x/Stryker\r\nEncrypted\r\nCommunication \r\nD3DES\r\nhttps://gitlab.gnome.org/GNOME/gtk-vnc/-/blob/v0.1.0/src/d3des.c\r\nCompression QuickLZ https://github.com/robottwo/quicklz\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 7 of 14\n\nTable 4. Pandora’s public code repositories\r\nRootkits From a Public Repository\r\nWe found two different rootkits that are being used for hiding processes, files, and services.\r\nBoth of them were taken from a public Github repository whose authors are not associated with the threat actor. \r\nHidden.sys -  https://github.com/JKornev/hidden/tree/master/\r\nThe first sample was found in April 2020. The driver was not signed and used the same DSE exploit that the\r\nPandora backdoor uses for it to load.\r\nThe second sample was found in October 2020 and was signed by a legitimate certificate from Beijing Kingsoft\r\nSecurity Software Co., Ltd., a Chinese security software company. The certificate has been valid since February\r\n2020. We have communicated with Kingsoft Corporation Limited regarding this issue and they have confirmed\r\nthat as of writing, the certificate has already been voided. \r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 8 of 14\n\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 9 of 14\n\nFigure 3. Hidden.sys properties and digital signature details\r\nThe tool is used to hide the threat actors’ tools and services. The tool’s configuration was added to registry run\r\nkeys on a victim’s computer. \r\nHidden Registry/Folder/File\r\nType Value\r\nREG HKLM\\SYSTEM\\CurrentControlSet\\services\\HiddenService\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 10 of 14\n\nREG HKLM\\SYSTEM\\CurrentControlSet\\services\\servTest\r\nREG HKLM\\SYSTEM\\CurrentControlSet\\services\\TrkWkss\r\nFolder C:\\programdata\\vlc\r\nFile C:\\programdata\\vlc\\vlc.exe\r\nFolder C:\\programdata\\test\r\nFile C:\\programdata\\test\\dlpumgr32.exe\r\nFile C:\\windows\\system32\\drivers\\Hidden.sys\r\nFile C:\\windows\\system32\\HiddenService.exe\r\nTable 5. The tool’s configuration\r\nThe references to “Hidden” are related to the rootkit itself. The “dlpumgr32.exe” and “servTest” lines are related\r\nto the new version of SysUpdate which we described earlier.\r\nWe do not know which malware variant is being sideloaded by vlc.exe. It is probably installed as a service named\r\n“TrkWkss.” We found a SysUpdate sample compiled in November 2020 that abuses a DLL sideloading\r\nvulnerability in VLC (see IOC list).  This confirms that this threat actor is abusing this legitimate program to\r\nsideload its backdoors.\r\nHyperBro Malware Family\r\nThe Iron Tiger APT group has used the HyperBro malware family since at least 2017. It is the evolved version of\r\nHttpBrowseropen on a new tab, which the group has been using since at least 2015.\r\nWe found earlier versions of this malware that were sideloaded by malicious DLL files that unpacked and loaded a\r\nbinary file named “thumb.db” in memory. All the requests were sent to the C\u0026C server on port 443, with “/ajax”\r\nas the uniform resource identifier (URI).\r\nWhile investigating Operation DRBControl, we found an updated version of this malware family that implements\r\nsome new classes. We provided a detailed analysis of this new HyperBro version in our research.\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 11 of 14\n\nWe also discovered that the binary file that’s being unpacked and loaded in memory by malicious DLL files is\r\nnamed “thumb.dat.” We also saw that all requests sent to the C\u0026C server were sent to the URI “/api/v2/ajax” on\r\nport 443.\r\nSince we analyzed that single sample, we found several new samples that matched the newer behavior, some of\r\nwhich have been deployed in our gambling target.\r\nHowever, we continue seeing samples that feature the “older” behaviors, which suggests that different groups —\r\nor possibly subgroups of Iron Tiger — are using this malware family. Some of these samples match the target and\r\nbehavior listed by ESET in their blogopen on a new tab.\r\nFRP Tool\r\nWe found the FRP tool being used on a Linux host, which is similar to Avast’s findings in a reportopen on a new\r\ntab that they published on the Iron Tiger threat actor.\r\nThe FRP tool that we analyzed was a modified version, which was possibly copied off of Github.\r\nType 1 Malware Family\r\nWe found three new samples of the Type 1 malware family that abuses Dropbox as a secondary C\u0026C channel,\r\nwhich we described in our Operation DRBControl whitepaper.\r\nApart from a modification in the malware sample’s configuration (which happened after we published our paper),\r\nthe differences with the versions that we analyzed in 2019 are minor. The version numbering was at 11.0, while\r\nthe last sample we analyzed in August 2019 was at version number 9.0. This shows that the development is still\r\nactive.\r\nOn the infrastructure side, we observed that the threat actor switched from using IP addresses hosted on the\r\nGoogle Cloud Platform (GCP) to IP addresses hosted on Microsoft Azure.\r\nIt should be noted that after our blog publication in February 2020, the threat actor compiled new Type 1 malware\r\nsamples using a new configuration, which prevented us from closely monitoring their operations. We believe that\r\nthis was a direct reaction to our research, suggesting that the threat actor read our investigation.\r\nIt’s also important to note that the compilation timestamp of the sideloaded DLLs were set a few months in\r\nadvance. For example, the binaries that we found in March and April 2020 had an August 26, 2020 compilation\r\ndate. This is consistent with the behavior that we noticed during Operation DRBControl, wherein some binaries\r\nthat have been found in mid-2019 had a compilation date of March 4, 2020. This shows that the threat actors\r\nintended to confuse forensics investigators with incorrect timestamps, which is why it’s critical to analyze\r\ntimestamps with caution during investigations.\r\nInfection Vector\r\nWe could not confirm the primary infection vector. However, traces of the exploitation of the Microsoft Exchange\r\nvulnerability CVE-2020-0688 were found.\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 12 of 14\n\nMultiple infection vectors have been attributed to this threat actor in the past:\r\nWateringopen on a new tab holes\r\nWeaponized documentsopen on a new tab exploiting the Dynamic Data Exchange (DDE) method\r\nWeaponized documentsopen on a new tab exploiting the CVE-2018-0798 vulnerability in Equation Editor\r\nExploitation of the CVE-2019-0604open on a new tab vulnerability in Sharepoint\r\nSupply chain attack that compromisesopen on a new tab a chat software installer, Able Desktop\r\nExploitation of recent vulnerabilities (CVE-2021-26855open on a new tab, CVE-2021-26857open on a\r\nnew tab, CVE-2021-26858open on a new tab, and CVE-2021-27065open on a new tab) in Microsoft\r\nExchange Serveropen on a new tab\r\nDuring our investigation, we found some old samples that fit in these categories but have not been reported. They\r\nare unrelated to this campaign and can be found in our IOC list.\r\nTargets\r\nThe closer look into Iron Tiger was prompted because of an incident response investigation involving a\r\nPhilippine-based gambling company that the group targeted. True to form, the Iron Tiger threat actor has targeted\r\nthe same company for 18 months.\r\nAside from targeting the same company, Iron Tiger also targeted other countries and industries. Over the past 18\r\nmonths, we observed how the group targeted governments, banks, telecommunication providers, and even the\r\nenergy sector in the Middle East and Southeast Asia.\r\nFigure 3. The countries that Iron Tiger has targeted in the past 18 months\r\nTimeline\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 13 of 14\n\nThe following timeline shows different samples found in the same gambling company that Talent-Jump and Trend\r\nMicro investigated:\r\n July 2019: Operation DRBControl starts\r\nOctober 2019: One HyperBroopen on a new tab malware sample found\r\nMarch 2020: New sample of Type 1 malware variant and a rootkit called Pandora found\r\nApril 2020: One rootkit sample for hiding files processes, files, and services found\r\nOctober 2020: New HyperBro and Pandora samples found\r\nDecember 2020: One sample of the SysUpdate malware variant found\r\nJanuary 2021: Fast Reverse Proxy (FRP) Linux tool found\r\nConclusion\r\nThis investigation provides more insight into the evolution of Iron Tiger’s toolkit and shows the threat actor’s\r\npersistence after targeting the same company for 18 months, as well as expanding its target base to include other\r\ncompanies and sectors in different countries in the Middle East and Southeast Asia.\r\nWe detailed how Iron Tiger threat actors have updated their tools, adding new features, and slightly changing their\r\ntactics, techniques, and procedures (TTPs), notably by using a rootkit to hide its backdoors. The different\r\ncampaigns with different versions of the same tools concurrently being used suggest that there might be subgroups\r\nfor this threat actor, or multiple groups with access to the builders of these tools.\r\nWe expect to see more cases involving four or five files instead of the usual “trident” in the future.\r\nThe indicators of compromise (IoCs) can be found in this appendix. \r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nhttps://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" ], "report_names": [ "iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434958, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a5b18d33f92a2d419c68d98fcc5feb716b78d57e.pdf", "text": "https://archive.orkl.eu/a5b18d33f92a2d419c68d98fcc5feb716b78d57e.txt", "img": "https://archive.orkl.eu/a5b18d33f92a2d419c68d98fcc5feb716b78d57e.jpg" } }