{ "id": "8084df15-b27a-48f9-8914-e609712efb9b", "created_at": "2026-04-06T00:19:10.905762Z", "updated_at": "2026-04-10T03:34:57.088282Z", "deleted_at": null, "sha1_hash": "accb1c668222991f2febb297e62acd8dfc3f3112", "title": "NICKEL targeting government organizations across Latin America and Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1275977, "plain_text": "NICKEL targeting government organizations across Latin\r\nAmerica and Europe\r\nBy Microsoft Digital Security Unit (DSU), Microsoft Threat Intelligence\r\nPublished: 2021-12-06 · Archived: 2026-04-05 20:44:46 UTC\r\nThe Microsoft Threat Intelligence Center (MSTIC) has observed NICKEL, a China-based threat actor, targeting\r\ngovernments, diplomatic entities, and non-governmental organizations (NGOs) across Central and South America,\r\nthe Caribbean, Europe, and North America. MSTIC has been tracking NICKEL since 2016 and observed some\r\ncommon activity with other actors known in the security community as APT15, APT25, and KeChang. Today, the\r\nMicrosoft Digital Crimes Unit (DCU) announced the successful seizure of a set of NICKEL-operated websites\r\nand disruption of their ongoing attacks targeting organizations in 29 countries, following a court order from the\r\nU.S. District Court for the Eastern District of Virginia granting Microsoft the authority to seize these sites.\r\nMSTIC has tracked the current NICKEL operations, including attacks against government organizations,\r\ndiplomatic entities, and NGOs, since September 2019. During this time, NICKEL activity has been observed\r\nacross several countries, with a large amount of activity targeting Central and South American governments.\r\nNotably, NICKEL has achieved long-term access to several targets, allowing NICKEL to conduct activities such\r\nas regularly scheduled exfiltration of data. As China’s influence around the world continues to grow and the nation\r\nestablishes bilateral relations with more countries and extends partnerships in support of China’s Belt and Road\r\nInitiative, we assess that China-based threat actors will continue to target customers in government, diplomatic,\r\nand NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence\r\ncollection objectives. Portions of the NICKEL activity we are highlighting have also been blogged about by our\r\ncolleagues at ESET.\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 1 of 13\n\nFigure 1: NICKEL targeted countries: Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile,\r\nColombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras,\r\nHungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago,\r\nUnited Kingdom, United States of America, Venezuela\r\nAs with any observed nation-state actor activity, Microsoft continues to notify customers that have been targeted\r\nor compromised, providing them with the information they need to help secure their organizations. To reduce the\r\npotential impact of this NICKEL activity, Microsoft encourages our customers to immediately review the activity\r\nand guidance below, then implement risk mitigations, harden environments, and investigate suspicious behaviors\r\nthat match the tactics described in this blog. MSTIC will continue to observe, monitor, and notify affected\r\ncustomers and partners, when possible, through our nation-state notification process.\r\nObserved activity\r\nMSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access\r\nservices and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain\r\nlegitimate credentials, which they used to gain access to victim accounts. NICKEL actors created and deployed\r\ncustom malware that allowed them to maintain persistence on victim networks over extended periods of time.\r\nMSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim\r\nnetworks.\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 2 of 13\n\nNICKEL successfully compromises networks using attacks on internet-facing web applications running on\r\nunpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unpatched\r\nVPN appliances, as referenced in the FireEye April 2021 blog detailing a 0-day vulnerability in Pulse Secure VPN\r\nthat has since been patched.\r\nAfter gaining an initial foothold on a compromised system, the NICKEL actors routinely performed\r\nreconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL\r\ntypically deployed a keylogger to capture credentials from users on compromised systems. We’ve observed\r\nNICKEL using Mimikatz, WDigest (an older authentication method that allows the attacker access to credentials\r\nin clear text), NTDSDump, and other password dumping tools to gather credentials on a targeted system and from\r\ntarget browsers.\r\nDeploying malware for command and control\r\nMSTIC tracks multiple malware families used by NICKEL for command and control as Neoichor, Leeson,\r\nNumbIdea, NullItch, and Rokum.\r\nThe Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to\r\nconnect and receive commands from hardcoded C2 servers. Due to their reliance on IE, these malware families\r\nintentionally configure the browser settings by modifying the following registry entries:\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main]\r\nStart Page = “about:blank”\r\nDisableFirstRunCustomize = 1\r\nRunOnceComplete = 1\r\nRunOnceHasShown = 1\r\nCheck_Associations = 1\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery]\r\nAutoRecover = 0\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Privacy]\r\nClearBrowsingHistoryOnExit = 1\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Connection Wizard]\r\nCompleted = 1\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap]\r\nIEHarden = 0\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 3 of 13\n\nWhen connecting to the C2 servers, the URL requests follow these formats:\r\nhttp[:]//\u003cC2\u003e?id=\u003c5-digit-rand\u003e\u003csystem-specific-string\u003e\r\nhttp[:]//\u003cC2\u003e?setssion==\u003crand\u003e\u003cGetTickCount\u003e\r\nhttp[:]//\u003cC2\u003e?newfrs%dsetssion=\u003crand\u003e\u003cGetTickCount\u003e\r\nhttp[:]//\u003cC2\u003e/index.htm?content=\u003cbase64-system-specifc-string\u003e\u0026id=\u003cnum\u003e\r\nA typical response from the C2 server is a legitimate-looking webpage containing the string “!DOCTYPE html”,\r\nwhich the malware checks. The malware then locates a Base64-encoded blob, which it decodes and proceeds to\r\nload as a shellcode.\r\nFor the Neoichor family, the malware checks for internet connectivity by contacting bing.com with the request\r\nformat bing.com?id=\u003cGetTickCount\u003e and drops files as ~atemp and ~btemp containing error codes and debug\r\nresources.\r\nThe NICKEL implants are backdoors capable of collecting system information, such as:\r\nIP address\r\nOS version\r\nSystem language ID\r\nComputer name\r\nSigned-in username\r\nThey implement basic backdoor functionalities, including:\r\nLaunching a process\r\nUploading a file\r\nDownloading a file\r\nExecuting a shellcode in memory\r\nMSTIC has observed NICKEL drop their malware into existing installed software paths. They did this to make\r\ntheir malware appear to be files used for an installed application. The following are example paths:\r\nC:\\Program Files\\Realtek\\Audio\\HDA\\AERTSr.exe\r\nC:\\Program Files (x86)\\Foxit Software\\Foxit Reader\\FoxitRdr64.exe\r\nC:\\Program Files (x86)\\Adobe\\Flash Player\\AddIns\\airappinstaller\\airappinstall.exe\r\nC:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd64.exe\r\nUsing compromised credentials for routine email collection\r\nNICKEL used compromised credentials to sign into victims’ Microsoft 365 accounts through normal sign-ins with\r\na browser and the legacy Exchange Web Services (EWS) protocol to review and collect victim emails. MSTIC has\r\nobserved successful NICKEL sign-ins to compromised accounts through commercial VPN providers as well as\r\nfrom actor-controlled infrastructure. The activity graphed below shows NICKEL sign-in activity happening most\r\nfrequently on Monday through Friday from 12:00 AM UTC (8:00 AM China Standard time) through 09:00 AM\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 4 of 13\n\nUTC (5:00 PM China Standard Time). There are also possible indications of a shift-based scheduling model based\r\non the observed limited set of activity during a typical weekend.\r\nFigure 2: Heatmap of observed NICKEL login activity by day of week and hour (UTC time)\r\nEvidence of routine host data collection\r\nIn several observed cases, NICKEL was seen performing regular data collection for exfiltration purposes. Their\r\nactivity included looking in directories of interest for new files added since the last time they collected data. In the\r\nexample below, NICKEL was collecting data that had been created or modified multiple times over a one-month\r\nperiod. For instance, on October 22, NICKEL looked for files that had been created since October 19 in multiple\r\nfolders. Previously, on October 20 they had done the same thing looking for files that were modified or created\r\nsince October 13.\r\nHere are recent examples of NICKEL’s routine data collection:\r\nAfter collecting the data in a central directory, the attackers then used either a renamed rar.exe or 7z.exe to archive\r\nthe files. NICKEL also frequently used keyboard walks as a password for their archived data collections. The\r\nfollowing are examples of RAR archiving for exfiltration:\r\nHere is an example of 7zip archiving for exfiltration:\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 5 of 13\n\nMicrosoft will continue to monitor NICKEL activity and implement product protections for our customers. The\r\nIOCs, current detections, and advanced protections in place across our security products are detailed below.\r\nRecommended defenses\r\nThe following guidance can help mitigate the techniques and threat activity described in this blog:\r\nBlock legacy authentication protocols in Azure Active Directory – especially Exchange Web Services\r\n(EWS)\r\nEnable multi-factor authentication to mitigate compromised credentials.\r\nFor Office 365 users, see multi-factor authentication support.\r\nFor Consumer and Personal email accounts, see how to use two-step verification.\r\nUse passwordless solutions like Microsoft Authenticator to secure accounts.\r\nReview and enforce recommended Exchange Online access policies.\r\nBlock ActiveSync clients from bypassing Conditional Access policies.\r\nBlock all incoming traffic from anonymizing services, where possible.\r\nTurn on the following attack surface reduction rule to block or audit activity associated with this threat:\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nIndicators of compromise (IOCs)\r\nType Indicator\r\nSHA-256 02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\r\nSHA-256 0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\r\nSHA-256 0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\r\nSHA-256 10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\r\nSHA-256 12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\r\nSHA-256 1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\r\nSHA-256 22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\r\nSHA-256 259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\r\nSHA-256 26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\r\nSHA-256 35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\r\nSHA-256 3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\r\nSHA-256 3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 6 of 13\n\nSHA-256 3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\r\nSHA-256 3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\r\nSHA-256 3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\r\nSHA-256 6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\r\nSHA-256 6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\r\nSHA-256 7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\r\nSHA-256 926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\r\nSHA-256 95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\r\nSHA-256 a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\r\nSHA-256 afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\r\nSHA-256 b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\r\nSHA-256 c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\r\nSHA-256 c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\r\nSHA-256 ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\r\nSHA-256 ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\r\nSHA-256 d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\r\nSHA-256 d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\r\nSHA-256 e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\r\nDomain\r\nname\r\nbeesweiserdog[.]com\r\nDomain\r\nname\r\nbluehostfit[.]com\r\nDomain\r\nname\r\nbusiness-toys[.]com\r\nDomain\r\nname\r\ncleanskycloud[.]com\r\nDomain\r\nname\r\ncumberbat[.]com\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 7 of 13\n\nDomain\r\nname\r\nczreadsecurity[.]com\r\nDomain\r\nname\r\ndgtresorgouv[.]com\r\nDomain\r\nname\r\ndimediamikedask[.]com\r\nDomain\r\nname\r\ndiresitioscon[.]com\r\nDomain\r\nname\r\nelcolectador[.]com\r\nDomain\r\nname\r\nelperuanos[.]org\r\nDomain\r\nname\r\neprotectioneu[.]com\r\nDomain\r\nname\r\nfheacor[.]com\r\nDomain\r\nname\r\nfollowthewaterdata[.]com\r\nDomain\r\nname\r\nfrancevrteepress[.]com\r\nDomain\r\nname\r\nfuttuhy[.]com\r\nDomain\r\nname\r\ngardienweb[.]com\r\nDomain\r\nname\r\nheimflugaustr[.]com\r\nDomain\r\nname\r\nivpsers[.]com\r\nDomain\r\nname\r\njkeducation[.]org\r\nDomain\r\nname\r\nmicrlmb[.]com\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 8 of 13\n\nDomain\r\nname\r\nmuthesck[.]com\r\nDomain\r\nname\r\nnetscalertech[.]com\r\nDomain\r\nname\r\nnewgoldbalmap[.]com\r\nDomain\r\nname\r\nnews-laestrella[.]com\r\nDomain\r\nname\r\nnoticialif[.]com\r\nDomain\r\nname\r\nopentanzanfoundation[.]com\r\nDomain\r\nname\r\noptonlinepress[.]com\r\nDomain\r\nname\r\npalazzochigi[.]com\r\nDomain\r\nname\r\npandemicacre[.]com\r\nDomain\r\nname\r\npapa-ser[.]com\r\nDomain\r\nname\r\npekematclouds[.]com\r\nDomain\r\nname\r\npipcake[.]com\r\nDomain\r\nname\r\npopularservicenter[.]com\r\nDomain\r\nname\r\nprojectsyndic[.]com\r\nDomain\r\nname\r\nqsadtv[.]com\r\nDomain\r\nname\r\nsankreal[.]com\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 9 of 13\n\nDomain\r\nname\r\nscielope[.]com\r\nDomain\r\nname\r\nseoamdcopywriting[.]com\r\nDomain\r\nname\r\nslidenshare[.]com\r\nDomain\r\nname\r\nsomoswake[.]com\r\nDomain\r\nname\r\nsquarespacenow[.]com\r\nDomain\r\nname\r\nsubapostilla[.]com\r\nDomain\r\nname\r\nsuzukicycles[.]net\r\nDomain\r\nname\r\ntatanotakeeps[.]com\r\nDomain\r\nname\r\ntijuanazxc[.]com\r\nDomain\r\nname\r\ntransactioninfo[.]net\r\nDomain\r\nname\r\neurolabspro[.]com\r\nDomain\r\nname\r\nadelluminate[.]com\r\nDomain\r\nname\r\nheadhunterblue[.]com\r\nDomain\r\nname\r\nprimenuesty[.]com\r\nDetections\r\nMicrosoft 365 Defender\r\nAntivirus\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 10 of 13\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nBackdoor:Win32/Leeson\r\nTrojan:Win32/Kechang\r\nBackdoor:Win32/Nightimp!dha\r\nTrojan:Win32/Rokum\r\nTrojanSpy:Win32/KeyLogger\r\nEndpoint detection and response (EDR)\r\nAlerts with the following titles in the security center can indicate NICKEL threat activity on your network:\r\nNICKEL activity group\r\nMalware associated with NICKEL activity group\r\nCommunication with NICKEL infrastructure\r\nThe following alerts may also indicate threat activity associated with NICKEL but may also be triggered by\r\nunrelated threat activity:\r\nMimikatz credential theft tool\r\nSuspected credential theft activity\r\nMalicious credential theft tool execution detected\r\nSensitive credential memory read\r\nPassword hashes dumped from LSASS memory\r\nSuspicious credential dump from NTDS.dit\r\nCompression of sensitive data\r\nStaging of sensitive data\r\nSuspicious process transferring data to external network\r\nPossible data exfiltration through multiple egress points\r\nMicrosoft 365 Defender correlates related alerts into consolidated incidents to help customers determine with\r\nconfidence if observed alerts are related to this activity. We also published a threat analytics report on the NICKEL\r\nactivity described in this blog. Microsoft 365 Defender can use the threat analytics report to get technical\r\ninformation, as well as view, investigate, and respond to incidents and alerts that include any detections of related\r\nNICKEL activity.\r\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nThe indicators of compromise (IoCs) included in this blog post can be used by Microsoft Sentinel customers for\r\ndetection purposes using the queries detailed below.\r\nMatch known NICKEL domains and hashes\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 11 of 13\n\nThe following query matches domain name, hash IOCs and Microsoft 365 Defender signatures related to the\r\nNICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml\r\nIdentify NICKEL registry modifications patterns\r\nThe following query identifies instances where NICKEL malware intentionally configures the browser settings for\r\nits use by modifying registry entries.\r\nhttps://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml\r\nHunt for NICKEL Command Line Activity November 2021\r\nThe below query looks for process command line activity related to data collection and staging observed being\r\nused by NICKEL. It hunts for use of tools such as xcopy and renamed archiving tools used for data collection and\r\nstaging on the hosts with signatures observed in NICKEL activity.\r\nhttps://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml\r\nMicrosoft 365 Defender\r\nSurface WDigest authentication changes\r\nUse this query to look for alerts related to enabling WDigest Authentication, which allows attackers to dump\r\ncredentials in clear text. Run query\r\nAlertInfo\r\n|whereTitle==\"WDigestconfigurationchange\"\r\n|joinAlertEvidenceonAlertId\r\nSurface discovery activity\r\nUse this query to surface potential NICKEL discovery activity. Run query\r\nDeviceProcessEvents\r\n|whereInitiatingProcessFileName=~\"rundll32.exe\"andInitiatingProcessCommandLinehas\",start\"\r\n|whereProcessCommandLinehas_any(\"cmd\",\r\n\"netstat\",\"tasklist\",\"dir\",\"del\",\"netuse\",\"ipconfig\",\"systeminfo\",\"xcopy\",\"mkdir\",\".bat\")\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 12 of 13\n\nSource: https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nhttps://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe\r\nPage 13 of 13\n\nobserved successful from actor-controlled NICKEL sign-ins infrastructure. to compromised The activity accounts graphed below through commercial shows NICKEL VPN providers sign-in activity as well as happening most\nfrequently on Monday through Friday from 12:00 AM UTC (8:00 AM China Standard time) through 09:00 AM\n Page 4 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" ], "report_names": [ "nickel-targeting-government-organizations-across-latin-america-and-europe" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434750, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/accb1c668222991f2febb297e62acd8dfc3f3112.pdf", "text": "https://archive.orkl.eu/accb1c668222991f2febb297e62acd8dfc3f3112.txt", "img": "https://archive.orkl.eu/accb1c668222991f2febb297e62acd8dfc3f3112.jpg" } }