{ "id": "8384aedd-6740-4a76-9063-7feef48a2bb2", "created_at": "2026-04-06T00:15:42.40647Z", "updated_at": "2026-04-10T03:37:22.730597Z", "deleted_at": null, "sha1_hash": "b0aed098cb73b1580de661355d3863fed3fe2f99", "title": "RedMike Cyber Attack on Cisco Devices in Telecommunications", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71494, "plain_text": "RedMike Cyber Attack on Cisco Devices in Telecommunications\r\nBy Insikt Group®\r\nArchived: 2026-04-05 18:29:46 UTC\r\nBetween December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting\r\nunpatched internet-facing Cisco network devices primarily associated with global telecommunications providers.\r\nVictim organizations included a United States-based affiliate of a United Kingdom-based telecommunications\r\nprovider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese\r\nstate-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named\r\ngroup Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and\r\nexploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability\r\nfound in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an\r\nassociated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges. RedMike reconfigures the\r\ndevice, adding a generic routing encapsulation (GRE) tunnel for persistent access.\r\nRedMike has attempted to exploit more than 1,000 Cisco devices globally. The group likely compiled a list of\r\ntarget devices based on their association with telecommunications providers' networks. Insikt Group also observed\r\nRedMike targeting devices associated with universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico,\r\nthe Netherlands, Thailand, the United States (US), and Vietnam. RedMike possibly targeted these universities to\r\naccess research in areas related to telecommunications, engineering, and technology, particularly at institutions\r\nlike UCLA and TU Delft. In addition to this activity, in mid-December 2024, RedMike also carried out a\r\nreconnaissance of multiple IP addresses owned by a Myanmar-based telecommunications provider, Mytel.\r\nUnpatched public-facing appliances serve as direct entry points into an organization’s infrastructure. Sophisticated\r\nChinese threat activity groups have shifted heavily toward exploiting these devices for initial access over the past\r\nfive years. RedMike’s exploitation of telecommunications infrastructure goes beyond technical vulnerabilities and\r\nrepresents a strategic intelligence threat. Persistent access to critical communications networks enables state-backed threat actors to monitor confidential conversations, manipulate data flows, and disrupt services during\r\ngeopolitical conflicts. RedMike’s targeting of lawful intercept programs and US political figures highlights the\r\nstrategic intelligence objectives behind these operations and the national security threat they pose.\r\nOrganizations, particularly those in the telecommunications industry, must prioritize remediating exposed network\r\ndevices, as unpatched systems remain a key initial access vector for Chinese state-sponsored threat activity\r\ngroups. Network administrators should implement strict access controls, disable unnecessary web UI exposure,\r\nand monitor for unauthorized configuration changes. Individuals should use end-to-end encrypted communication\r\nmethods for sensitive information, just as the Cybersecurity and Infrastructure Agency (CISA) and the Federal\r\nBureau of Investigation (FBI) recommended, which is crucial to mitigate potential eavesdropping risks.\r\nhttps://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices\r\nPage 1 of 5\n\nAdditionally, governments and cybersecurity entities should improve threat intelligence sharing and impose\r\nstricter regulatory compliance for network security. While the US sanctions on RedMike-affiliated Sichuan\r\nJuxinhe Network Technology signal a more assertive and commendable stance against state-backed cyber\r\nespionage in critical infrastructure, robust international cooperation is crucial for effectively countering these\r\npersistent threats.\r\nKey Findings\r\nDespite significant media coverage and US sanctions, RedMike continues to compromise\r\ntelecommunications providers globally, including in the US.\r\nRedMike compromised Cisco network devices of a US-based affiliate of a United Kingdom (UK)\r\ntelecommunications provider and a South African telecommunications provider.\r\nRedMike exploited privilege escalation vulnerabilities CVE-2023-20198 and CVE-2023-20273 to\r\ncompromise unpatched Cisco network devices running Cisco IOS XE software.\r\nUsing Recorded Future Network Intelligence, Insikt Group identified RedMike attempting to exploit over\r\n1,000 Cisco network devices between December 2024 and January 2025.\r\nSalt Typhoon Hackers: Background\r\nIn late September 2024, media reporting (1, 2) stated that the Chinese state-sponsored group Salt Typhoon had\r\ncompromised the networks of major US telecommunications companies, including Verizon (1), AT\u0026T, and Lumen\r\nTechnologies. The activity likely affected telecommunications organizations globally, with some outlets reporting\r\nthat Salt Typhoon compromised at least 80 organizations. SaltTyphoon used its access to telecommunications\r\nproviders to snoop on US lawful intercept targets and intercept the communications of significant US political\r\nfigures. The effect of Salt Typhoon’s intrusions has reached the highest levels of the US government:\r\nCybersecurity experts have briefed the US Senate, CISA recently issued guidance on hardening\r\ntelecommunications infrastructure, and CISA and the FBI issued a joint warning encouraging the use of encrypted\r\nend-to-end messaging applications for sensitive communications.\r\nInsikt Group tracks Salt Typhoon-aligned activity as RedMike. Salt Typhoon is a group name given by Microsoft\r\nThreat Intelligence; at this time, Microsoft has not published publicly available technical details of the group's\r\nactivity. The only public information Microsoft has shared confirms an overlap with two existing threat activity\r\ngroup names: GhostEmperor (Kaspersky) and FamousSparrow (ESET).\r\nOn January 17, 2025, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned\r\nSichuan-based cybersecurity company Sichuan Juxinhe Network Technology Co., Ltd. for their direct\r\ninvolvement with RedMike activity. OFAC stated that Sichuan Juxinhe Network Technology Co., Ltd. had direct\r\ninvolvement in exploiting US telecommunications and internet service provider companies. According to OFAC,\r\nChina’s Ministry of State Security (MSS) has maintained strong ties with multiple computer network exploitation\r\ncompanies, including Sichuan Juxinhe.\r\nTechnical Analysis\r\nCisco IOS XE Web UI Exploitation\r\nhttps://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices\r\nPage 2 of 5\n\nUsing Recorded Future Network Intelligence, Insikt Group identified that since early December 2024, RedMike\r\nhas attempted to exploit over 1,000 internet-facing Cisco network devices worldwide, primarily those associated\r\nwith telecommunications providers, using a combination of two privilege escalation vulnerabilities: CVE-2023-\r\n20198 and CVE-2023-20273. When successfully compromised, the group uses the new privileged user account to\r\nchange the device's configuration and adds a GRE tunnel for persistent access and data exfiltration.\r\nThe privilege escalation vulnerability CVE-2023-20198 was found in the Cisco IOS XE software web UI feature,\r\nversion 16 and earlier, and published by Cisco in October 2023. Attackers exploit this vulnerability to gain initial\r\naccess to the device and issue a privilege 15 command to create a local user and password. Following this, the\r\nattacker uses the new local account to access the device and exploits an associated privilege escalation\r\nvulnerability, CVE-2023-20273, to gain root user privileges.\r\nMore than half of the Cisco devices targeted by RedMike were in the US, South America, and India. The\r\nremaining devices spanned over 100 other countries. Although the selected devices are primarily associated with\r\ntelecommunications providers, thirteen were linked to universities across Argentina, Bangladesh, Indonesia,\r\nMalaysia, Mexico, the Netherlands, Thailand, the US, and Vietnam.\r\nOften involved in cutting-edge research, universities are prime targets for Chinese state-sponsored threat activity\r\ngroups to acquire valuable research data and intellectual property. Previous examples include APT40, which has\r\ntargeted universities for biomedical, robotics, and maritime research; RedGolf (APT41) for medical research; and\r\nRedBravo (APT31), which has directly targeted academics. China’s cyber strategy aligns with its broader\r\neconomic and military goals, making universities high-value targets for long-term intelligence-gathering and\r\ntechnology acquisition.\r\nRedMike possibly targeted the following universities to access research in areas related to telecommunications,\r\nengineering, and technology, particularly at institutions like UCLA and TU Delft.\r\nUniversity of California, Los Angeles (UCLA) — US\r\nCalifornia State University, Office of the Chancellor (CENIC) — US\r\nLoyola Marymount University — US\r\nUtah Tech University — US\r\nUniversidad de La Punta — Argentina\r\nIslamic University of Technology (IUT) — Bangladesh\r\nUniversitas Sebelas Maret — Indonesia\r\nUniversitas Negeri Malang — Indonesia\r\nUniversity of Malaya — Malaysia\r\nUniversidad Nacional Autonoma — Mexico\r\nTechnische Universiteit Delft — The Netherlands\r\nSripatum University — Thailand\r\nUniversity of Medicine and Pharmacy at Ho Chi Minh City — Vietnam\r\nRedMike’s scanning and exploitation activity occurred on six different occasions from December 2024 to January\r\n2025.\r\n2024-12-04\r\nhttps://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices\r\nPage 3 of 5\n\n2024-12-10\r\n2024-12-17\r\n2024-12-24\r\n2025-01-13\r\n2025-01-23\r\nNetwork administrators operating a Cisco network device with IOS XE software web UI exposed to the internet\r\ncan use the dates mentioned and advice in the mitigations section to identify potential RedMike exploitation\r\nactivity.\r\nUsing internet scanning data, Insikt Group identified more than 12,000 Cisco network devices with their web UIs\r\nexposed to the internet. Although over 1,000 Cisco devices were targeted, Insikt Group assesses that this activity\r\nwas likely focussed, given that this number only represents 8% of the exposed devices and that RedMike engaged\r\nin periodic reconnaissance activity, selecting devices linked to telecommunications providers.\r\nCompromised Cisco Devices in Telecommunications Networks\r\nUsing Recorded Future Network Intelligence, Insikt Group observed seven compromised Cisco network devices\r\ncommunicating with RedMike infrastructure. These include devices associated with:\r\nA US-based affiliate of a UK telecommunications provider\r\nA US internet service provider (ISP) and telecommunications company\r\nA South African telecommunications provider\r\nAn Italian ISP\r\nA large Thailand telecommunications provider\r\nRedMike configured GRE tunnels between the compromised Cisco devices and their infrastructure. GRE is a\r\ntunneling protocol used to encapsulate various network layer protocols inside point-to-point connections. It is a\r\nstandard feature that can be configured on Cisco network devices. It is commonly used to create virtual private\r\nnetworks (VPNs), enable interoperability between different network types, and transport multicast or non-IP\r\ntraffic over IP networks. Threat activity groups use GRE tunnels to maintain persistence by establishing covert\r\ncommunication channels that bypass firewalls and intrusion detection systems. These tunnels also facilitate\r\nstealthy data exfiltration by encapsulating stolen data within GRE packets, potentially bypassing network\r\nmonitoring.\r\nReconnaissance of Myanmar’s Telecom Infrastructure\r\nIn mid-December 2024, RedMike, from the same infrastructure that exploited the Cisco network devices,\r\nperformed reconnaissance against multiple infrastructure assets operated by a Myanmar-based\r\ntelecommunications provider, Mytel, likely including their corporate mail server.\r\nState-sponsored cyber espionage groups like RedMike continue to target global telecommunications\r\ninfrastructure. The need for heightened cybersecurity in this critical sector has never been more urgent. Exploiting\r\nvulnerabilities such as CVE-2023-20198 and CVE-2023-20273 in Cisco devices underscores the increasing\r\nsophistication of attacks against telecom networks. These attacks not only jeopardize the confidentiality of\r\nhttps://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices\r\nPage 4 of 5\n\ncommunications but also threaten the very integrity of critical national and international infrastructure.\r\nThe focus on exploiting unpatched network devices has become a central method of entry for cybercriminals,\r\nhighlighting a pressing need for telecommunications providers worldwide to prioritize proactive security\r\nmeasures. Remediation actions, such as regular patching of vulnerabilities, enhanced access controls, and the use\r\nof end-to-end encrypted communications, are essential in mitigating these persistent threats. However, these\r\nefforts must be part of a broader, global cybersecurity strategy that fosters international cooperation and\r\nencourages information sharing among governments and private entities. In addition to technical defenses, the\r\ntelecommunications sector must concertedly push toward cybersecurity resilience.\r\nRecorded Future’s threat intelligence platform offers real-time insights into cyber adversaries' tactics, techniques,\r\nand procedures (TTPs)the tactics, techniques, and procedures (TTPs) of cyber adversaries, empowering\r\norganizations to stay ahead of sophisticated state-sponsored actors.\r\nTo read the entire analysis, click here to download the report as a PDF.\r\nSource: https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices\r\nhttps://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices" ], "report_names": [ "redmike-salt-typhoon-exploits-vulnerable-devices" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7936e2f8-5179-414a-8b57-530c28062f26", "created_at": "2023-04-27T02:04:45.231554Z", "updated_at": "2026-04-10T02:00:04.87247Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "ETDA:RedGolf", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "ELFSHELF", "KEYPLUG", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f799b96d-bc59-4b35-ae5c-dfe87e5b735b", "created_at": "2023-04-26T02:02:01.286476Z", "updated_at": "2026-04-10T02:00:03.363506Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "MISPGALAXY:RedGolf", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434542, "ts_updated_at": 1775792242, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b0aed098cb73b1580de661355d3863fed3fe2f99.pdf", "text": "https://archive.orkl.eu/b0aed098cb73b1580de661355d3863fed3fe2f99.txt", "img": "https://archive.orkl.eu/b0aed098cb73b1580de661355d3863fed3fe2f99.jpg" } }