{ "id": "f5588397-6051-48f3-b41b-21465b7c9fd7", "created_at": "2026-04-06T00:18:59.226894Z", "updated_at": "2026-04-10T03:34:28.270802Z", "deleted_at": null, "sha1_hash": "ad47b7a304038e0c56d82d325db71d9473b2811a", "title": "UAT-9244 targets South American telecommunication providers with three new malware implants", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 409236, "plain_text": "UAT-9244 targets South American telecommunication providers\r\nwith three new malware implants\r\nBy Asheer Malhotra\r\nPublished: 2026-03-05 · Archived: 2026-04-05 12:53:36 UTC\r\nCisco Talos is disclosing UAT-9244, who we assess with high confidence is a China-nexus advanced\r\npersistent threat (APT) actor closely associated with Famous Sparrow.\r\nSince 2024, UAT-9244 has targeted critical telecommunications infrastructure, including Windows and\r\nLinux-based endpoints and edge devices in South America, proliferating access via three malware\r\nimplants.\r\nThe first backdoor, “TernDoor,” is a new variation of the previously disclosed, Windows-based, CrowDoor\r\nmalware.\r\nTalos also discovered that UAT-9244 uses “PeerTime,” an ELF-based backdoor that uses the BitTorrent\r\nprotocol to conduct malicious operations on an infected system.\r\nUAT-9244’s third implant is a brute force scanner, which Talos tracks as “BruteEntry.” BruteEntry is\r\ntypically installed on network edge devices, essentially converting them into mass-scanning proxy nodes,\r\nalso known as Operational Relay Boxes (ORBs) that attempt to brute force into SSH, Postgres, and Tomcat\r\nservers.\r\nIntroducing TernDoor: A variant of CrowDoor\r\nUAT-9244 used dynamic-link library (DLL) side-loading to activate multiple stages of their infection chain. The\r\nactor executed “wsprint[.]exe”, a benign executable that loaded the malicious DLL-based loader\r\n“BugSplatRc64[.]dll”. The DLL reads a data file named “WSPrint[.]dll” from disk, decrypts its contents, and\r\nexecutes them in memory to activate TernDoor, the final payload.\r\nTernDoor is a variant of CrowDoor, a backdoor deployed in recent intrusions linked to China-nexus APTs such as\r\nFamousSparrow and Earth Estries. CrowDoor is a variant of SparrowDoor, another backdoor attributed to\r\nFamousSparrow. CrowDoor has also been observed in previous Tropic Trooper intrusions,  indicating a close\r\noperational relationship with FamousSparrow. Based on the overlap in tooling; tactics, techniques, and procedures\r\n(TTPs); and victimology, we assess with high confidence that UAT-9244 closely overlaps with FamousSparrow\r\nand Tropic Trooper.\r\nAlthough UAT-9244 and Salt Typhoon both target telecommunications service providers, Talos has not been able\r\nto verify or establish a solid connection between the two clusters.\r\nThe DLL-based loader\r\nThe DLL-based loader, “BugSplatRc64.dll”, will load the “WSPrint.dll” file from the current directory, which will\r\nbe decoded using the key “qwiozpVngruhg123”.\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 1 of 13\n\nFigure 1. DLL-based loader reading the encoded payload.\r\nThe decoded shellcode is position-independent and decodes and decompresses the final payload. The final\r\npayload is the TernDoor implant.\r\nTernDoor\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 2 of 13\n\nThe final shellcode consists of the TernDoor backdoor. TernDoor is a variant of CrowDoor, actively developed\r\nand used by UAT-9244 since at least November 2024. TernDoor deviates from CrowDoor in the following\r\naspects:\r\nTernDoor consists of command codes that are different from previously disclosed variants of CrowDoor.\r\nThe TernDoor shellcode also consists of an embedded Windows driver (SYS file). The driver is encrypted\r\nusing AES in the shellcode. The driver is used to suspend, resume, and terminate processes.\r\nPersistence\r\nThe TernDoor infection chain is persisted on the system using either a scheduled task or the Registry Run key.\r\nThe scheduled task is named “WSPrint” and created using the command:\r\nschtasks /create /tn WSPrint /tr \"C:\\ProgramData\\WSPrint\\WSPrint.exe\" /ru \"SYSTEM\" /sc onstart /F\r\nFurthermore, TernDoor modifies the following task-related registry keys to hide the task:\r\nDeletes HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WSPrint |\r\nSD\r\nModifies HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WSPrint\r\n| Index = from 1 to 0\r\nA Registry Run key may also be set to run the executable on user login:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | Default = C:\\ProgramData\\WSPrint\\WSPrint.exe\r\nCommand line switch\r\nUnlike CrowDoor, TernDoor only supports one command line switch: “-u”, passed to WSPrint.exe. This is the\r\nswitch for uninstalling the malware from the system and it deletes all malware files from the operating directory,\r\nas well as terminates malicious processes.\r\nDecoding the configuration\r\nLike previous variants of CrowDoor, TernDoor also checks to ensure it has been injected into “msiexec[.]exe”.\r\nThe implant decodes its configuration that can specify the following information:\r\nCommand and control (C2) IP address\r\nNumber of tries to connect to the C2\r\nC2 port number\r\nUser-Agent to use while connecting to C2 (if applicable)\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 3 of 13\n\nFigure 2. TernDoor configuration blob.\r\nTernDoor functionality\r\nTernDoor’s capabilities resemble those of previously disclosed CrowDoor samples:\r\nCommunicates with the C2 IP address\r\nCreates processes and runs arbitrary commands via remote shell and independently\r\nReads and writes files\r\nCollects system information such as computer and user name, IP address information, and OS bitness\r\nUninstalls itself from the infected system\r\nDeploys the accompanying driver to hide malicious components and perform process management\r\nThe accompanying Windows driver, WSPrint.sys, is dropped to disk and then activated using a windows service:\r\nFigure 3. Malicious driver service on the infected endpoint.\r\n The driver creates a device named “\\\\Device\\\\VMTool” and symbolically links it to “\\\\DosDevices\\\\VMTool”. It\r\ncan terminate, suspend, or resume processes specified by TernDoor — likely a means of evasion.\r\nTernDoor infrastructure\r\nAll the C2 IP addresses discovered by Talos were associated with the following SSL certificate on port 443:\r\nSSL_fingerprint_sha256= 0c7e36683a100a96f695a952cf07052af9a47f5898e1078311fd58c5fdbdecc8\r\nSSL_fingerprint_SHA1= 2b170a6d90fceba72aba3c7bc5c40b9725f43788\r\nData:\r\nVersion: V3\r\nSerial Number: 1\r\nThumbprint: 2b170a6d90fceba72aba3c7bc5c40b9725f43788\r\nSignature Algorithm:\r\nIssuer: C=US ST=Some-State O=Internet Widgits Pty Ltd CN=8.8.8.8\r\nValidity\r\nNot Before: 2022-09-04 12:54:51\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 4 of 13\n\nNot After: 2023-09-04 12:54:51\r\nSubject: C=US ST=Some-State O=Internet Widgits Pty Ltd CN=8.8.8.8\r\nPivoting off this certificate, Talos found an additional 18 IPs likely being used by UAT-9244. This list is provided\r\nin the indicators of compromise (IOCs) section.\r\nOne of the DLL-based loaders was also hosted on the IP “212.11.64[.]105”. On this server, we discovered a set of\r\nshell scripts and an accompanying malware family we track as “PeerTime.”\r\nPeerTime: UAT-9244's peer-to-peer (P2P) backdoor\r\nPeerTime is an ELF based backdoor that is compiled for a variety of architectures such as ARM, AARCH, PPC,\r\nMIPS etc., indicating that UAT-9244 can use it to infect a variety of embedded systems.\r\nPeerTime is deployed through a shellscript that downloads the PeerTime loader ELF binary and an instrumentor\r\nbinary.\r\nThe instrumentor ELF binary will check for the presence of docker on the compromised host using the commands\r\ndocker and docker –q.\r\nIf docker is found, then the PeerTime loader is executed using:\r\ndocker \u003cpath_of_PeerTime_loader_ELF\u003e\r\nThe instrumentor consists of debug strings in Simplified Chinese, indicating that it is a custom binary created and\r\ndeployed by Chinese-speaking threat actors:\r\n获取当前程序路径错误: //Error retrieving current program path:\r\n删除当前程序错误: // Error deleting current program:\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 5 of 13\n\nFigure 4. PeerTime installation/infection chain.\r\nPeerTime consists of a loader that will decrypt and decompress the final PeerTime ELF payload and run it in\r\nmemory. The PeerTime loader has the ability to rename its process to a benign process to evade detection.\r\nPeerTime uses the BitTorrent protocol to obtain C2 information, download files from its peers, and execute them\r\non the infected host. The payloads are written to disk and copied to the specified locations using BusyBox. As of\r\nnow, PeerTime consists of two versions: one written in C/C++ and a newer version written in Rust.\r\nFigure 5. PeerTime uses busybox to copy payloads.\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 6 of 13\n\nPeerTime is also known as “angrypeer” and can be tracked in VirusTotal using the “malware_config:angrypeer”\r\nquery. Malware configurations in VirusTotal are identified using Mandiant’s/GTIG’s Backscatter tool.\r\nSetting up ORBs via BruteEntry\r\nInfrastructure used by UAT-9244 also hosts another set of shell scripts and payloads designed to establish\r\ncompromised Linux based systems including edge devices as operational relay boxes (ORBs) that scan and brute\r\nforce Tomcat, Postgres, and SSH servers.\r\nThe shell script will download two components:\r\nAn instrumentor and daemon process that activates the actual brute forcer\r\nThe actual brute forcer (named BruteEntry) that obtains target IPs from the C2 server and scans the IPs\r\nFigure 6. BruteEntry infection chain.\r\nThe instrumentor binary\r\nThe instrumentor binary is an ELF file written in GoLang. It checks if the BruteEntry is already running on the\r\nsystem using “pgrep”:\r\npgrep \u003cpath_to_BruteEntry\u003e\r\nAnd then starts the brute forcer agent:\r\n./\u003cpath_to_BruteEntry\u003e\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 7 of 13\n\nBruteEntry\r\nBruteEntry is also written in GoLang and begins by registering with the C2 server by providing it with the\r\ninfected system’s IP address and computer name:\r\n{“ip”:“value”, “hostname”:“value”}\r\n The C2 responds with a JSON that assigns an agent_id to the infected host:\r\n{“agent_id”:“value”, “server”:“value”}\r\nwhere “server” = version string of BruteEntry such as “brute-force-server-v1.0”\r\n BruteEntry will then ask the C2 for tasks to perform by sending a GET request to the C2 at the URI, where\r\nlimit=1000 is the maximum number of vulnerable IPs to scan:\r\n/tasks/\u003cagent_id\u003e?limit=1000\r\nThe C2 responds with a JSON that consists of “tasks” containing the list of IPs to brute force:\r\n{\"tasks\":[\r\n{\"id\":,\"target\":\":\",\"type\":\"\"},\r\n{\"id\":,\"target\":\":\",\"type\":\"\"},\r\n. . . . .\r\n] }\r\n The “type” field in the json defines the type of scan to conduct — either “tomcat”,“postgres”, or “ssh”.\r\nThe agent will then use a set of embedded credentials to attempt to brute force into either a Tomcat server\r\napplication at the URL “https[://]\u003cIP\u003e:\u003cPort\u003e/manager/html”, or will brute force into a Postgres instance, either\r\ndefined in the JSON (\u003cIP\u003e\u003cPort\u003e) from the C2 or using the port 5432 if no port is specified.\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 8 of 13\n\nFigure 7. BruteEntry selecting the type of service to brute force into.\r\nAny successful logins are then POSTED back to the C2:\r\n{\"batch\":[\r\n{\"task_id\":\u003ctask_id\u003e,\"success\":\u003ctrue/false\u003e,\"note\":\" \u003cnotes on the task\u003e\"},\r\n{\"task_id\":\u003ctask_id\u003e,\"success\":\u003ctrue/false\u003e,\"note\":\" \u003cnotes on the task\u003e\"},\r\n......\r\n]}\r\n In this instance, “success” indicates if the brute force was successful (true or false), and “notes” provides specific\r\ninformation on whether the brute force was successful. If the login failed, the note reads “All credentials tried.” If\r\nit succeeded, the note reads “Cracked by agent \u003cagent_id\u003e | Version \u003cagent_version\u003e”.\r\nCoverage\r\nThe following ClamAV signatures detect and block this threat:\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 9 of 13\n\nWin.Loader.PeerTime\r\nWin.Malware.TernDoor\r\nUnix.Malware.BruteEntry\r\nTxt.Malware.PeerTime\r\nUnix.Malware.PeerTime\r\nThe following SNORT® rules (SIDs) detect and block this threat: 65551\r\nIOCs\r\nTernDoor Loader DLL\r\n711d9427ee43bc2186b9124f31cba2db5f54ec9a0d56dc2948e1a4377bada289\r\n3c098a687947938e36ab34b9f09a11ebd82d50089cbfe6e237d810faa729f8ff\r\nf36913607356a32ea106103387105c635fa923f8ed98ad0194b66ec79e379a02\r\n Encoded TernDoor payload\r\nA5e413456ce9fc60bb44d442b72546e9e4118a61894fbe4b5c56e4dfad6055e3\r\n075b20a21ea6a0d2201a12a049f332ecc61348fc0ad3cfee038c6ad6aa44e744\r\n1f5635a512a923e98a90cdc1b2fb988a2da78706e07e419dae9e1a54dd4d682b\r\nWindows driver\r\n2d2ca7d21310b14f5f5641bbf4a9ff4c3e566b1fbbd370034c6844cedc8f0538\r\nUAT-9244 C2 IPs used by TernDoor\r\n154[.]205[.]154[.]82:443\r\n207[.]148[.]121[.]95:443\r\n207[.]148[.]120[.]52:443\r\n212[.]11[.]64[.]105\r\nSuspected UAT-9244 IPs\r\n149[.]28[.]25[.]33\r\n154[.]205[.]154[.]194\r\n154[.]205[.]154[.]65\r\n154[.]205[.]154[.]70\r\n154[.]223[.]21[.]130\r\n154[.]223[.]21[.]194\r\n158[.]247[.]238[.]240\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 10 of 13\n\n216[.]238[.]112[.]222\r\n216[.]238[.]123[.]242\r\n216[.]238[.]94[.]37\r\n38[.]54[.]125[.]134\r\n38[.]60[.]199[.]34\r\n45[.]32[.]106[.]94\r\n45[.]77[.]34[.]194\r\n45[.]77[.]41[.]141\r\n47[.]76[.]100[.]159\r\n64[.]190[.]113[.]170\r\n64[.]95[.]10[.]253\r\nPeerTime installation script\r\nebcb2691b7c92cdf2b2ff5e2d753abeea8cb325c16596cd839e6bd147f80e38a\r\n00735a8a50d2856c11150ef1e29c05acebce7ad3edad00e37c7f043aacb46330\r\n74fbc8360d4c95d64d7acaa4d18943dce2d41f91d080b0b5e435d8bce52861a5\r\nbabc81fc9c998e9dc4ab545f0e112e34d2641e1333bc81aaa131abd061a5b604\r\ne34c9159e6e78c59518a14c5b96bddfee094b684f99d4f69b13371284a014e87\r\n2c3f2261b00ea45e25eb4e9de2b7ff8e41f311c0b3d986461f834022c08b3b99\r\n3fcced9332301ff70b20c98c9434c858400013d659afa6bb5149cffb0206357d\r\na313f76fca50fff1bcd6f2c6cbc1268985f8c0a3a05fe7f43c4fc0ac3aff84dc\r\n03eac9eb7f4b4bc494ef0496ee23cabbf38f883896838ed813741d8f64ac9fde\r\n17652d7bb5fe0454023db4fc7f608df0dbe6af237be31258e16ba52f0e895e26\r\n74d1a678bdc4bb9f33321e94e3bd1bc1740472ed734231fc46af720072ecb77e\r\nPeerTime instrumentor binary\r\nc9fc2af30f769d856b88b3051f19fdb663b3e0a0916279df9bbcba93c6a110c9\r\nPeerTime malware\r\n34d64b3cd9430e85edefcb883973a086dd5de9917e05fabec89b1f4ab9627e91\r\n1cedf01dd4b7e50181d0e781825c66957b862941395d77c8bd7705114f319c80\r\nbfc35f12d00fa4b40c5fbce9e37d704e12a52262709bcbdf09f97890bc40cad5\r\nf3e899789b56429f483e5096e1f473335024f1f763e2d428132338e30352b89e\r\n6ec070457d1f6f239cb02c5e1576a3660cca98f3a07eec6e4e107f698d7fe555\r\n15d937803f90c2b9e277ff94d3e98ff30015ecc7f4623a158e3c98861e5cb278\r\n7b70cd956f082b1029d02b4cb7608893f2de7fa9c500d7d7febdd0f745ac3cb6\r\nd78b3c6df8f3756a7e310cf7435fdba201dd03ec9f97420a0db683489a01a7c9\r\n3fcadde4b414a18b2fed56c1ec59d97977123615fbbf411a1c78425445a6e71c\r\n3d9fbfc2c056eac857ba54e5ed134aa45a4b8322ee9f9353ba32e5b2ca71b0e3\r\nc9a42423ef08bd7f183915780d39530eba5e4e25968c51965ff8bb3026965a28\r\n38eeaa4eaad72feb3f8e6993565fcc548d8e7bb93642590f00fa24aacc0e2862\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 11 of 13\n\n56bead2933e91366e4a0d5761daf5b238a7f2c22e597664ef67b3ecae20ab326\r\n6a2d23cc8746a83e9a3b974788fce0e414706b8e75ff390426dd7e10b19967b3\r\n9a7225c17e4bad3ffe7f080530d36f4f8aca5c116b913caa91ab9b0cee85638e\r\n870e791af14caaf395c56028176a9c3f4c1ff0318ef3112d57ecd3d4a1be2ef9\r\nPeerTime remote locations\r\n185[.]196[.]10[.]247\r\nxtibh[.]com\r\nxcit76[.]com\r\nPeerTime C2s\r\nbloopencil[.]net\r\n185[.]196[.]10[.]38\r\nBruteEntry installation script\r\n1fcdd5a417db31e5e07d32cecfa69e53f0dce95b7130ad9c03b92249f001801d\r\nBruteEntry instrumentor binary\r\n66ce42258062e902bd7f9e90ad5453a901cfc424f0ea497c4d14f063f3acd329\r\nd5eb979cb8a72706bfa591fa57d4ebf7d13cecdc9377b0192375e2f570f796df\r\nBruteEntry agent\r\n66adeedfb739774fcc09aa7426c8fad29f8047ab4caee8040d07c0e84d011611\r\n66bdce93de3b02cf9cdadad18ca1504ac83e379a752d51f60deae6dcbafe4e31\r\nBruteEntry infrastructure\r\n212[.]11[.]64[.]105\r\n185[.]196[.]10[.]247\r\nAdditional malicious scripts\r\n023467e236a95d5f0e62e26445d430d749c59312f66cf136e6e2c2d526c46ba1\r\nf8066833e47814793d8c58743622b051070dac09cb010c323970c81b59260f84\r\n06b23d84fd7afd525dfd7860ebd561dcdd72ccbeb51981d5d9a75acf068d0a2a\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 12 of 13\n\nSource: https://blog.talosintelligence.com/uat-9244/\r\nhttps://blog.talosintelligence.com/uat-9244/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://blog.talosintelligence.com/uat-9244/" ], "report_names": [ "uat-9244" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1aaa217b-361c-4c3a-b052-e381678702a5", "created_at": "2026-03-08T02:00:03.477548Z", "updated_at": "2026-04-10T02:00:03.984851Z", "deleted_at": null, "main_name": "UAT-9244", "aliases": [], "source_name": "MISPGALAXY:UAT-9244", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434739, "ts_updated_at": 1775792068, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad47b7a304038e0c56d82d325db71d9473b2811a.pdf", "text": "https://archive.orkl.eu/ad47b7a304038e0c56d82d325db71d9473b2811a.txt", "img": "https://archive.orkl.eu/ad47b7a304038e0c56d82d325db71d9473b2811a.jpg" } }