{ "id": "be99d83e-a397-4541-9538-856366d905b1", "created_at": "2026-04-06T00:14:12.897081Z", "updated_at": "2026-04-10T13:12:05.383057Z", "deleted_at": null, "sha1_hash": "a90fa85bbe07c14057eee1835edf3af5721d9597", "title": "FamousSparrow: A suspicious hotel guest", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 947044, "plain_text": "FamousSparrow: A suspicious hotel guest\r\nBy Matthieu FaouTahseen Bin Taj\r\nArchived: 2026-04-02 10:49:09 UTC\r\nESET researchers have uncovered a new cyberespionage group targeting hotels, governments, and private\r\ncompanies worldwide. We have named this group FamousSparrow and we believe it has been active since at least\r\n2019.\r\nReviewing telemetry data during our investigation, we realized that FamousSparrow leveraged the Microsoft\r\nExchange vulnerabilities known as ProxyLogon that we described extensively in March 2021. As a reminder, this\r\nremote code execution vulnerability was used by more than 10 APT groups to take over Exchange mail servers\r\nworldwide. According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities on March 3rd,\r\n2021, the day following the release of the patch, so it is yet another APT group that had access to the ProxyLogon\r\nremote code execution vulnerability in March 2021.\r\nIn this blogpost we will discuss the attribution to FamousSparrow and the group’s victimology. This will be\r\nfollowed by a detailed technical analysis of the group’s main backdoor that we have named SparrowDoor.\r\nA note on attribution\r\nFamousSparrow is a group that we consider as the only current user of the custom backdoor, SparrowDoor (which\r\nwe cover in detail in the later sections of this blogpost). It also uses two custom versions of Mimikatz (see the\r\nIndicators of Compromise section) that could be used to connect incidents to this group.\r\nWhile we consider FamousSparrow to be a separate entity, we found connections to other known APT groups. In\r\none case, attackers deployed a variant of Motnug that is a loader used by SparklingGoblin. In another case, on a\r\nmachine compromised by FamousSparrow, we found a running Metasploit with cdn.kkxx888666[.]com as its\r\nC\u0026C server. This domain is related to a group known as DRBControl.\r\nVictimology\r\nThe group has been active since at least August 2019 and it mainly targets hotels worldwide. In addition, we have\r\nseen a few targets in other sectors such as governments, international organizations, engineering companies and\r\nlaw firms in the following countries:\r\nBrazil\r\nBurkina Faso\r\nSouth Africa\r\nCanada\r\nIsrael\r\nFrance\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 1 of 14\n\nGuatemala\r\nLithuania\r\nSaudi Arabia\r\nTaiwan\r\nThailand\r\nUnited Kingdom\r\nFigure 1. Geographic distribution of FamousSparrow targets\r\nCompromise vector\r\nIn a few cases, we were able to find the initial compromise vector used by FamousSparrow and these systems\r\nwere compromised through vulnerable internet-facing web applications. We believe FamousSparrow exploited\r\nknown remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021),\r\nMicrosoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop\r\nvarious malicious samples.\r\nOnce the server is compromised, attackers deploy several custom tools:\r\nA Mimikatz variant\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 2 of 14\n\nA small utility that drops ProcDump on disk and uses it to dump the lsass process, probably in order to\r\ngather in-memory secrets, such as credentials\r\nNbtscan, a NetBIOS scanner\r\nA loader for the SparrowDoor backdoor\r\nThrough our telemetry, we were able to recover only the loader component (SHA-1:\r\nE2B0851E2E281CC7BCA3D6D9B2FA0C4B7AC5A02B). We also found a very similar loader on VirusTotal\r\n(SHA-1: BB2F5B573AC7A761015DAAD0B7FF03B294DC60F6) that allowed us to find the missing\r\ncomponents, including SparrowDoor.\r\nSparrowDoor\r\nLoader\r\nSparrowDoor is initially loaded via DLL search order hijacking, using three elements – a legitimate K7\r\nComputing executable (Indexer.exe) used as the DLL hijacking host, a malicious DLL (K7UI.dll), and encrypted\r\nshellcode (MpSvc.dll) – all of which are dropped in %PROGRAMDATA%\\Software\\. It can be assumed that the\r\ncommand line argument used with the initial SparrowDoor execution, in order to set up persistence, is either\r\nnothing or anything but -i, -k or -d (the functionalities of these three arguments are explained below). Once\r\npersistence is set up, SparrowDoor is executed with the -i command line argument. Refer to Figure 2 for a brief\r\noverview of the flow of the initial loading process. If you would like an in-depth look into the loading process,\r\ncontinue reading!\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 3 of 14\n\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 4 of 14\n\nFigure 2. SparrowDoor staging\r\nThe legitimate executable, Indexer.exe, requires the library K7UI.dll to operate. Therefore, the OS looks for the\r\nDLL file in directories in the prescribed load order. Since the directory where the Indexer.exe file is stored is at the\r\ntop priority in the load order, it is exposed to DLL search-order hijacking. And that is exactly how the malware\r\ngets loaded. Indexer.exe loads the malicious K7UI.dll, which in turn patches the code in Indexer.exe (from call\r\nWinMain to jmp K7UI.0x100010D0) and then returns to Indexer.exe. As a result of this, Indexer.exe ends up\r\nrunning a subroutine in K7UI.dll (located in the .text section) instead of calling WinMain. We will refer to this\r\nsubroutine as launcher. The functionality of launcher is to load MpSvc.dll (the encrypted shellcode) into\r\nmemory from the directory that also stores Indexer.exe, decrypt the content and then execute the shellcode.\r\nThe shellcode (MpSvc.dll) is encrypted using four-byte XOR with the key being the first four bytes of the file.\r\nThe MpSvc.dll shellcode loads various libraries responsible for building a PE structure and locates the addresses\r\nof the functions to be used. After that, it allocates RWX memory and copies various locations in the shellcode into\r\nit (in order to build the PE structure). It also resolves the imports of several functions from different libraries.\r\nFinally, it executes the newly built backdoor PE from the entry point. Interestingly, this rebuilt executable image\r\nhas no PE headers, as shown in Figure 2, so the loader executes the backdoor by jumping to the entry point at a\r\nhardcoded offset within the allocated memory.\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 5 of 14\n\nFigure 3. The PE header is missing in the newly built backdoor from the MpSvc.dll shellcode\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 6 of 14\n\nBackdoor\r\nThe arguments passed to the backdoor are inherited from the arguments passed to Indexer.exe, or to any other\r\nbinary that gets the shellcode/backdoor injected. The tasks performed by the backdoor after an argument is\r\nspecified are shown in Table 1.\r\nTable 1. Actions performed based on the command line arguments provided to SparrowDoor\r\nArgument Action\r\nNo argument or not\r\nmatching the\r\nfollowing\r\nPersistence is set through the registry Run key and a service, which is created and\r\nstarted using the configuration data (described in the next section) hardcoded in the\r\nbinary. Finally, the backdoor is restarted with the -i switch.\r\n-i The backdoor is restarted with the -k switch.\r\n-k The backdoor interpreter (described later) is called with a kill switch.\r\n-d The backdoor interpreter is called without a kill switch.\r\nNote:\r\n1. The kill switch gives the backdoor the privilege to uninstall or restart SparrowDoor.\r\n2. The backdoor interpreter gets called regardless of the argument used because it will always end up with a -\r\nk or -d argument.\r\nConfiguration data\r\nThe configuration is found in the binary and is decrypted using the multi-byte XOR key ^\u002632yUgf. The\r\nconfiguration has the following format:\r\nstruct config\r\n{\r\n char domain[64];\r\n char user [64];\r\n char pass[64];\r\n char ip[64];\r\n char port[2];\r\n char serviceName[64];\r\n char serviceDisplayName[128];\r\n char serviceDescription[128];\r\n};\r\nThe decrypted values are shown in Table 2.\r\nTable 2. The key-value pairs of the configuration along with a description of their purpose\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 7 of 14\n\nKey Value Purpose\r\ndomain credits.offices-analytics[.]com C\u0026C server domain\r\nuser user\r\nProxy settings used to connect to C\u0026C\r\nserver\r\npass pass  \r\nip 127.1.1.1  \r\nport 8080  \r\nserviceName WSearchIndex\r\nInformation used for creating a service to\r\nset up persistence. Also, note that the\r\nserviceName is used as the value name\r\nunder the Run key in the registry\r\nserviceDisplayName Windows Search Index  \r\nserviceDescription\r\nProvides content indexing,\r\nproperty caching, and search\r\nresults for files, e-mail, and other\r\ncontent.\r\n \r\nThe connections could be either through a proxy or not, and they connect to the C\u0026C server over port 443\r\n(HTTPS). So, the communication should be encrypted using TLS. During the first attempt to contact the C\u0026C\r\nserver, SparrowDoor checks whether a connection can be established without using a proxy, and if it can’t, then\r\nthe data is sent through a proxy. All outgoing data is encrypted using the XOR key hH7@83#mi and all incoming\r\ndata is decrypted using the XOR key h*^4hFa. The data has a structure that starts with a Command ID, followed\r\nby the length of the ensuing encrypted data, followed by the encrypted data.\r\nFigure 4 shows an example of how the data is sent to the C\u0026C server (in this case it is sending system\r\ninformation), while Figure 5 shows the plaintext form of the same data payload.\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 8 of 14\n\nFigure 4. A Wireshark dump showing the data POSTed by the backdoor\r\nFigure 5. The decrypted data containing system information\r\nVictim’s local IP address in this case can be converted to decimal, giving 192.168.42.1.\r\nSession ID is the Remote Desktop Services session ID associated with the backdoor process, found using the\r\nProcessIdToSessionId Windows API call.\r\nThe systemInfoHash is computed via the sdbm hash algorithm, using the username, computer name, host\r\naddresses and the session ID.\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 9 of 14\n\nBackdoor interpreter function\r\nPrivilege escalation is performed in this function by adjusting the access token of the SparrowDoor process to\r\nenable SeDebugPrivilege. After that, the shutdown function (Ws2_32.dll) is patched to prevent disabling sends\r\nand receives on a socket and the closesocket function (Ws2_32.dll) is patched to enable the DONT_LINGER\r\noption first to close the socket without waiting for pending data to be sent or received. Finally, system information\r\nis sent to the C\u0026C server (as seen in Figures 4 and 5 above) to receive data back in return.\r\nBased on the Command ID field in the data received from the C\u0026C server, the backdoor can perform different\r\nmalicious actions that are detailed in Table 3.\r\nTable 3. Actions performed by SparrowDoor when the corresponding Command IDs are received\r\nCommand ID Action\r\n0x1C615632 The current process is closed.\r\n0x1DE15F35\r\nA child svchost.exe process is spawned with processToken information of the process\r\n(Process ID) specified by the C\u0026C server, with argument -d and then the shellcode is\r\ninjected into the process.\r\n0x1A6B561A A directory is created using the name provided by the C\u0026C server.\r\n0x18695638\r\nA file is renamed. Both the file to be renamed and the new name are provided by the C\u0026C\r\nserver.\r\n0x196A5629 A file is deleted, as specified in the incoming data.\r\n0x17685647\r\nIf length of the data is 1, and the data matches $, then the length of systemInfoHash along\r\nwith an array of drive types are sent.\r\nIf length of the data is greater than 2 and the first 2 bytes of data match $\\, then information\r\nabout the files in a specified directory is sent. The information included is the following: file\r\nattributes, file size and file write time.\r\n0x15665665 A new thread is created to exfiltrate the content of a specified file.\r\n0x16675656\r\nIf the kill switch is activated, the current persistence settings (registry and service) are\r\nremoved and the Indexer.exe file is executed (to restart the dropper). If not, the backdoor\r\nloop is restarted.\r\n0x14655674 A new thread is created to write the data to a specified file.\r\n0x12635692\r\nIf the kill switch is activated, the persistence settings are removed, and all the files used by\r\nSparrowDoor (Indexer.exe, K7UI.dll and MpSvc.dll) are removed. If not, the backdoor loop\r\nis restarted.\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 10 of 14\n\nCommand ID Action\r\n0x13645683\r\nIf the data matches \"switch ”, then the backdoor is restarted with the -d switch.\r\nIf not, it spawns a cmd.exe shell, and sets up named pipes for input and output (used by the\r\nC\u0026C server) to establish an interactive reverse shell.\r\nIf the data matches Exit\\r\\n, then the spawned shell is terminated.\r\nOther Restarts the backdoor loop.\r\nConclusion\r\nFamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability\r\nearly in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint\r\nand Oracle Opera. This is another reminder that it is critical to patch internet-facing applications quickly, or, if\r\nquick patching is not possible, to not expose them to the internet at all.\r\nThe targeting, which includes governments worldwide, suggests that FamousSparrow’s intent is espionage. We\r\nhave highlighted some links to SparklingGoblin and DRBControl, but we don’t consider that these groups are the\r\nsame.\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nIndicators of Compromise\r\nUPDATE (October 13th, 2021): The IP address 45.192.178[.]206 was removed from the Indicators of\r\nCompromise. This was a mistake on our end.\r\nSHA-1 Filename ESET detection name Description\r\nB9601E60F87545441BF8\r\n579B2F62668C56507F4A\r\np64.exe\r\ndebug.log\r\nWin64/Riskware.Mimikatz.H Mimikatz\r\n4DF896624695EA278055\r\n2E9EA3C40661DC84EFC8\r\np64.exe\r\ndebug.log\r\nWin64/Riskware.Mimikatz.H Mimikatz\r\n76C430B55F180A85F4E1\r\nA1E40E4A2EA37DB97599\r\ndump.exe Win64/Kryptik.BSQ Lsass dumper\r\n873F98CAF234C3A8A9DB\r\n18343DAD7B42117E85D4\r\nnbtscan.exe Win32/NetTool.Nbtscan.A Nbtscan\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 11 of 14\n\nSHA-1 Filename ESET detection name Description\r\nFDC44057E87D7C350E6D\r\nF84BB72541236A770BA2\r\n1.cab Win32/FamousSparrow.A Dropper\r\nC36ECD2E0F38294E1290\r\nF4B9B36F602167E33614\r\nIndexer.exe -\r\nLegitimate K7\r\nComputing binary\r\nBB2F5B573AC7A761015D\r\nAAD0B7FF03B294DC60F6\r\nK7UI.dll Win32/FamousSparrow.A Loader\r\n23E228D5603B4802398B\r\n2E7419187AEF71FF9DD5\r\nMpSvc.dll  \r\nEncrypted\r\nshellcode\r\n2560B7E28B322BB7A56D\r\n0B1DA1B2652E1EFE76EA\r\n- -\r\nDecrypted\r\nshellcode\r\nE2B0851E2E281CC7BCA3\r\nD6D9B2FA0C4B7AC5A02B\r\nK7UI.dll Win32/FamousSparrow.B Loader\r\nDomain IP address Comment\r\ncredits.offices-analytics[.]com - SparrowDoor C\u0026C server\r\n- 27.102.113[.]240 Delivery domain\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 9 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1588.005\r\nObtain Capabilities:\r\nExploits\r\nFamousSparrow used RCE vulnerabilities\r\nagainst Microsoft Exchange, SharePoint and\r\nOracle Opera.\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nFamousSparrow purchased a domain at Hosting\r\nConcepts.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nFamousSparrow rented servers at Shanghai\r\nRuisu Network Technology and DAOU\r\nTECHNOLOGY.\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nFamousSparrow used RCE vulnerabilities\r\nagainst Microsoft Exchange, SharePoint and\r\nOracle Opera.\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 12 of 14\n\nTactic ID Name Description\r\nExecution\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nFamousSparrow used cmd.exe to run\r\ncommands to download and install\r\nSparrowDoor.\r\nT1203\r\nExploitation for Client\r\nExecution\r\nFamousSparrow used RCE vulnerabilities in\r\nMicrosoft Exchange, SharePoint and Oracle\r\nOpera to install SparrowDoor.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nSparrowDoor achieves persistence through the\r\nHKCU Run registry value WSearchIndex =\r\n\\Indexer.exe -i registry entry.\r\nT1543.003\r\nCreate or Modify\r\nSystem Process:\r\nWindows Service\r\nFamousSparrow installs SparrowDoor as a\r\nservice named WSearchIndex.\r\nT1574.001\r\nHijack Execution Flow:\r\nDLL Search Order\r\nHijacking\r\nFamousSparrow loads the malicious K7UI.dll\r\nthrough DLL search order hijacking.\r\nDefense\r\nEvasion\r\nT1055.001\r\nProcess Injection:\r\nDynamic-link Library\r\nInjection\r\nMpSvc.dll (shellcode) is injected into processes\r\nby SparrowDoor.\r\nT1134.002\r\nAccess Token\r\nManipulation: Create\r\nProcess with Token\r\nSparrowDoor creates processes with tokens of\r\nprocesses specified by the C\u0026C server, using\r\nthe CreateProcessAsUserA API.\r\nT1134\r\nAccess Token\r\nManipulation\r\nSparrowDoor tries to adjust its token privileges\r\nto receive SeDebugPrivilege.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nThe shellcode, MpSvc.dll, is encrypted using\r\nXOR, along with the config embedded within\r\nSparrowDoor.\r\nCredentials\r\nAccess\r\nT1003 OS Credential Dumping\r\nFamousSparrow makes use of a custom\r\nMimikatz version.\r\nDiscovery\r\nT1082\r\nSystem Information\r\nDiscovery\r\nSparrowDoor collects the username,\r\ncomputername, RDP session ID, and drive\r\ntypes in the system and sends this data to the\r\nC\u0026C server.\r\nT1083 File and Directory\r\nDiscovery\r\nSparrowDoor can probe files in a specified\r\ndirectory obtaining their names, attributes, sizes\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 13 of 14\n\nTactic ID Name Description\r\nand last modified times, and sends this data to\r\nthe C\u0026C server.\r\nCollection T1005 Data from Local System\r\nSparrowDoor has the ability to read file\r\ncontents and exfiltrate them to the C\u0026C server.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nSparrowDoor communicates with the C\u0026C\r\nserver using the HTTPS protocol.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nSparrowDoor encrypts/decrypts\r\ncommunications with its C\u0026C server using\r\ndifferent multi-byte XOR keys.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nSparrowDoor exfiltrates data over its C\u0026C\r\nchannel.\r\nSource: https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nhttps://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/" ], "report_names": [ "famoussparrow-suspicious-hotel-guest" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c8b57a00-18f4-4e49-9954-849de5e97506", "created_at": "2023-11-05T02:00:08.065073Z", "updated_at": "2026-04-10T02:00:03.395154Z", "deleted_at": null, "main_name": "SparklingGoblin", "aliases": [], "source_name": "MISPGALAXY:SparklingGoblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434452, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a90fa85bbe07c14057eee1835edf3af5721d9597.pdf", "text": "https://archive.orkl.eu/a90fa85bbe07c14057eee1835edf3af5721d9597.txt", "img": "https://archive.orkl.eu/a90fa85bbe07c14057eee1835edf3af5721d9597.jpg" } }