{ "id": "9a441138-de15-4731-b1fb-e8329281276e", "created_at": "2026-04-06T00:18:07.890075Z", "updated_at": "2026-04-10T03:37:51.347074Z", "deleted_at": null, "sha1_hash": "b232f7d7b438861bae5e4776e479a4f7e1cf247e", "title": "Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 554137, "plain_text": "Meet NailaoLocker: a ransomware distributed in Europe by\r\nShadowPad and PlugX backdoors\r\nPublished: 2025-02-18 · Archived: 2026-04-05 22:48:14 UTC\r\nData in this article\r\nExecutive Summary\r\nIntroduction\r\nInfection chains\r\nShadowPad analysis\r\nInfrastructure analyses\r\nAction on objectives and ransomware delivery\r\nNailaoLoader analysis\r\nNailaoLocker analysis\r\nConnecting Green Nailao to the larger Chinese threat ecosystem\r\nConclusion\r\nAppendices\r\nExecutive Summary\r\nAuthors: Marine Pichon, Alexis Bonnefoi\r\nAcknowledgments:\r\nSpecial thanks to Daniel Lunghi (Trend Micro) for his help on our ShadowPad analysis. His own investigation on\r\nthis topic is available here.\r\nSpecial thanks to Thomas Brossard from our CSIRT for his valuable forensic insights. This report is the result of a\r\nfruitful collaboration between teams inside Orange Cyberdefense CERT including the Incident Response team,\r\nWorld Watch and the Reverse Engineering Team.\r\nAn unknown threat cluster has been targeting at least between June and October 2024 European\r\norganizations, notably in the healthcare sector.\r\nTracked as Green Nailao by Orange Cyberdefense CERT, the campaign relied on DLL search-order\r\nhijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted\r\nintrusions.\r\nThe ShadowPad variant our reverse-engineering team analyzed is highly obfuscated and uses Windows\r\nservices and registry keys to persist on the system in the event of a reboot.\r\nIn several Incident Response engagements, we observed the consecutive deployment of a previously\r\nundocumented ransomware payload.\r\nThe campaign was enabled by the exploitation of CVE-2024-24919 (link for our World Watch and\r\nVulnerability Intelligence customers) on vulnerable Check Point Security Gateways.\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\r\nPage 1 of 8\n\nIoCs and Yara rules can be found on our dedicated GitHub page here.\r\nNote: The analysis cut-off date for this report was February 15, 2025.\r\nIntroduction\r\nLast year, Orange Cyberdefense’s CERT investigated a series of incidents from an unknown threat actor\r\nleveraging both ShadowPad and PlugX. Tracked as Green Nailao (“Nailao” meaning “cheese” in Chinese – a\r\ntopic our World Watch CTI team holds in high regard), the campaign impacted several European organizations,\r\nincluding in the healthcare vertical, during the second half of 2024. We believe this campaign has targeted a\r\nlarger panel of organizations across the world throughout multiple sectors.\r\nSomewhat similar TTPs and payloads have been publicly mentioned in a write-up from HackersEye’s DFIR team.\r\nIn at least two cases, the intrusion ended up with the execution on victims’ systems of a custom, previously\r\nundocumented ransomware payload we dubbed NailaoLocker.\r\nOur World Watch CTI team does not associate this campaign with a known threat group. Nevertheless, we assess\r\nwith medium confidence that the threat actors do align with typical Chinese intrusion sets.\r\nInfection chains\r\nAll four cases used a similar initial access vector consisting of the compromise of a Check Point VPN\r\nappliance. Our Incident Responders assess with medium confidence this was managed by the exploitation of\r\nCVE-2024-24919, a critical 0-day vulnerability affecting Check Point Security Gateways that have Remote\r\nAccess VPN or Mobile Access features enabled (link to the Vulnerability Intelligence Watch advisory for our\r\ncustomers here). Patched in May 2024 but exploited in the wild since early April 2024 at least, the flaw enables\r\nthreat actors to read certain information on gateways, and most importantly enumerate and extract password\r\nhashes for all local accounts. Due to the fact all observed Check Point instances were still vulnerable at the time of\r\ntheir compromise, CVE-2024-24919 likely enabled the threat actors to retrieve user credentials and to connect\r\nto the VPN using a legitimate account.\r\nThe threat actors then carried out network reconnaissance and lateral movement mostly through RDP, in an effort\r\nto obtain additional privileges. The threat actors were observed manually executing a legitimate binary\r\n“logger.exe” to side-load a malicious DLL,“logexts.dll” (T1574). When executed, the DLL copies an adjacent\r\nencrypted payload (for instance, “0EEBB9B4.tmp”) to a Windows registry key (with the name of this key being\r\nrelated to the system drive's volume serial number).\r\nThe “0EEBB9B4.tmp” payload is then deleted by the threat actors and ultimately retrieved by the DLL from\r\nregistry key and injected into another process. Finally, a service or a startup task is created to run logger.exe and\r\nmaintain system persistence. Upon analysis, we were able to associate “0EEBB9B4.tmp” to a new version of the\r\ninfamous ShadowPad malware (with the DLL acting as its loader).\r\nIt should be noted we also observed very similar TTPs used to distribute PlugX around August 2024. In this\r\nspecific case, threat actors used a legitimate McAfee executable called “mcoemcpy.exe” to side-load a malicious\r\nDLL (“McUtil.dll”). The DLL creates a Windows service for persistence and attempts to escalate privileges by\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\r\nPage 2 of 8\n\nusing token-related APIs to grant itself the SeDebugPrivilege token. The loader then decrypts a third, highly\r\nobfuscated file called “Mc.cp” and injects the extracted shellcode into a launched but suspended process (Process\r\nHollowing - T1055.012). Once injected, the process resumes execution to run the shellcode in memory. These\r\nthree files correspond to the well-reported \"PlugX trinity” execution workflow that can be created using one of the\r\nleaked PlugX builder available online.\r\nShadowPad analysis\r\nShadowPad is known for its widespread usage in cyberespionage campaigns against government entities,\r\nacademic institutions, energy organizations, think tanks, or technology companies. This modular backdoor is\r\nsuspected to be privately shared or sold among Chinese APTs since 2015 at least. In our cases, we identified\r\nwhat we believe is a new variant of ShadowPad featuring complexified obfuscation and anti-debug measures.\r\nShadowPad was observed establishing communication with a C2 server to create a discreet access point within\r\nthe victims’ information systems that is independent of VPN access. In fact, we observed in some cases more than\r\ntwo weeks between these first stages of compromise and post-exploitation activities. It should also be noted that\r\nwe retrieved indications that several ShadowPad backdoors were installed on different machines belonging to the\r\nsame organization.\r\nFigure 1: Censys information on IP 193[.]56.255.14 spoofing Intel Corporation\r\nBy pivoting on the certificates, we were able to retrieve additional IP addresses likely belonging to the same\r\nShadowPad cluster. These have been included in the list of IoCs provided at the end of the report. All potential\r\nShadowPad C2 servers span different Autonomous System, but many are hosted by VULTR.\r\nConcerning the anonymization infrastructure used by the threat actors to connect to the Check Point VPN in the\r\nfirst place, we noticed one of the IP is a compromised IoT located in Sweden, potentially part of a botnet or ORB\r\n(Operational Relay Box) network. Another one is an exit node from Proton VPN.\r\nAction on objectives and ransomware delivery\r\nOrange Cyberdefense researchers observed the threat actors accessing files and folders and ultimately creating ZIP\r\narchives, suggesting data exfiltration attempts. In at least one case, we assess the threat actors notably captured\r\nthe “ntds.dit” database file within Microsoft’s Active Directory, which typically stores user account details,\r\npasswords, group memberships, and other object attributes. Unfortunately, in several cases, limited firewall log\r\nretention and/or missing traffic details—such as packet sizes, session information, or data exchange volumes—\r\nrestricted our ability to fully assess the exfiltration conducted by the threat actors.\r\nThe threat actors were then observed running a script targeting a list of local IP addresses and leveraging Windows\r\nManagement Instrumentation (WMI) to send three files to each host:\r\n“usysdiag.exe”,\r\n“sensapi.dll” (NailaoLoader),\r\n“usysdiag.exe.dat” (obfuscated NailaoLocker).\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\r\nPage 3 of 8\n\n“usysdiag.exe” is a legitimate executable signed by Beijing Huorong Network Technology Co., Ltd, a Chinese\r\nsecurity software provider. As “logger.exe”, the executable is used to side-load another DLL (“sensapi.dll”) and a\r\ndata file “usysdiag.exe.dat” using a newly created Windows service named “aaa”\r\nFigure 2: Execution flow of NailaoLoader and NailaoLocker\r\nOnce side-loaded, NailaoLoader DLL retrieves the calling module address with GetModuleHandleW API and\r\nperforms checks for certain bytes values to ensure it is loaded by the right binary. This launches the malware\r\nroutine. The controlled values are actually the return address of the LoadLibrary function call in the legitimate\r\nbinary, which is then used to rewrite instructions and jump into the malware main function.\r\nFigure 3: sensapi.dll checks usysdiag.exe data to ensure it is loaded the expected way.\r\nNailaoLoader’s loading method is quite straightforward. It first builds the payload filename, using\r\nGetModuleFilenameW API (“legit_binary_name.exe.dat”, such as “usysdiag.exe.dat”). It opens the .dat payload\r\n(NailaoLocker) with CreateFileW with RW access, gets the file size, and then decrypts the locker with the loop\r\ndecrypted_byte = ((encrypted_byte + 0x4b ) ^ 0x3f) - 0x4b\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\r\nPage 4 of 8\n\nFigure 4: Payload decryption routine\r\nWe observed the exact same loop across multiple samples of NailaoLoader, but this loop can change in other\r\ncampaigns.\r\nThe loader then writes random bytes data from the legitimate binary in the “.dat” payload, before removing the\r\nlatter to prevent its recovery. NailaoLoader ultimately loads the decrypted NailaoLocker executable sections in a\r\nmemory segment, gets imports, and jumps into its entry point.\r\nFigure 5: Ransom note example left by NailaoLocker\r\nInterestingly enough, by pivoting on the content of the ransom notes, we found other similar HTML files\r\ncontaining a link to a low-tier cybercriminal service provider known as “Kodex Softwares” (formerly Evil\r\nExtractor). The latter seems to procure three malware sold as-a-service since October 2022, which were advertised\r\non the former Cracked and Nulled underground marketplaces. One of these tools feature ransomware capabilities\r\nagainst Windows systems. Nevertheless, the comparison of a Kodex ransomware sample from 2023 to our\r\nNailaoLocker samples revealed no code overlaps.\r\nFigure 6: Evil Extractor MaaS shop\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\r\nPage 5 of 8\n\nConnecting Green Nailao to the larger Chinese threat ecosystem\r\nAs mentioned previously, we assess with medium confidence that the cluster do align with typical Chinese\r\nintrusion sets. This assessment is based on:\r\nThe use of ShadowPad, an implant almost exclusively associated with Chinese targeted intrusion\r\noperations so far.\r\nThe adoption of consistent TTPs, notably three-file execution chains with DLL search-order hijacking to\r\nexecute the payloads (i.e., a legitimate executable vulnerable to DLL side-loading, a DLL loader and an\r\nencrypted payload). SecureWorks attributes some of these three-file execution chains to the BRONZE\r\nUNIVERSITY Chinese APT.\r\nWe also found some weak TTP overlaps with Cluster Alpha (STAC1248), a cluster mentioned in the 2023\r\nCrimson Palace operation detailed by Sophos. Cluster Alpha was notably observed exploiting the very same\r\n“usysdiag.exe” legitimate application to sideload “SensAPI.dll”. Yet, in Sophos’ case, it appears the DLL is only\r\nused to load and execute a shellcode (“dllhost.exe”), before the DLL and the legitimate application are deleted.\r\nSophos does not mention any ransomware deployment, with “dllhost.exe” instead allowing the establishment of a\r\nremote C2 session. Cluster Alpha is assessed with high confidence by Sophos to operate on behalf of Chinese state\r\ninterests.\r\nThe deployment of a ransomware payload after the use of traditional cyberespionage tools is quite surprising. In\r\nthat way, Green Nailao is very reminiscent of a recently published article from Symantec. Nevertheless, the cluster\r\ndetailed by Symantec researchers slightly differs from Green Nailao as it involves the distribution of the RA\r\nWorld ransomware strain, a payload we did not observe across our different cases. Initially based on the leaked\r\nBabuk ransomware source code, RA World (or RA Group) is a double-extortion operation that surfaced in April\r\n2023. In July 2024, the ransomware was tied with low confidence by Palo Alto to a Chinese threat actor known as\r\nBRONZE STARLIGHT.\r\nNevertheless, despite these various overlaps with known intrusion sets, we do not associate Green Nailao to a\r\nspecific group. As of today, we are only able to raise several hypotheses on the final objectives of this campaign:\r\n- The encryption and ransom demand could be used as a vocal false-flag distraction shifting attention away from\r\nthe actual, more stealth goal of data exfiltration. Yet, the targets lacked strategic significance, making the attack an\r\nanomaly given the effort to obscure its intent. Additionally, the ransomware deployment poorly concealed the\r\nespionage-related backdoors.\r\n- The ransomware is a way to kill two birds with one stone, with strategic data theft operation doubled with a\r\nprofitable financially motivated extortion scheme. This combination, which for instance characterizes many\r\nNorth Korean cyberattacks, could aim at financing more strategic operations from the threat actors. Yet, based on\r\nour analysis of one of the wallets associated to the cluster, the latter do not appear to have made a lot of money\r\nwith their cyberattacks.\r\n- The ransomware as “on the side” moonlighting profitable scheme from a threat actor belonging to an\r\nadvanced Chinese cyberespionage group or having access to its intrusion toolkit. This could help explaining the\r\nsophistication contrast between ShadowPad and NailaoLocker, with NailaoLocker sometimes even attempting to\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\r\nPage 6 of 8\n\nmimic ShadowPad’s loading techniques. This same hypothesis was also put forward by Symantec researchers and\r\nmight be the most likely.\r\nThe targeting of healthcare-related entities by state-aligned groups, including from China, is not new. As\r\nrecalled in the French national cybersecurity agency’s (ANSSI) Threat landscape for the healthcare sector, while\r\nsuch campaigns can sometimes be conducted opportunistically, they often allow threat groups to gain access to\r\ninformation systems that can be used later to conduct other offensive operations. Researchers from Mandiant for\r\ninstance observed APT41 targeting US pharmaceutical entities in early 2020, meanwhile APT18 or APT10 have\r\nbeen historically  tied to even older breaches affecting this vertical.\r\nConclusion\r\nThanks to a successful collaboration between analysts from several teams within Orange Cyberdefense CERT, we\r\nwere able to document a new threat for European organizations. Suspected to emanate from a China-nexus\r\nintrusion set, the campaign we track as Green Nailao revealed new insights on the ShadowPad backdoor which\r\nhad never been publicly linked to ransomware delivery before. This report also detailed a new ransomware\r\npayload we named NailaoLocker.\r\nWhile this campaign seems to remain limited in terms of volume, it highlights the importance for organizations to\r\napply security patches as soon as they are released. \r\nOrange Cyberdefense’s Datalake platform provides access to Indicators of Compromise (IoCs) related to this\r\nthreat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for\r\nIoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting. If you would like us\r\nto prioritize addressing these IoCs in your next hunt, please make a request through your MTD customer portal or\r\ncontact your representative.\r\nOrange Cyberdefense’s Managed Threat Intelligence [protect] service offers the ability to automatically feed\r\nnetwork-related IoCs into your security solutions. To learn more about this service and to find out which firewall,\r\nproxy, and other vendor solutions are supported, please get in touch with your Orange Cyberdefense Trusted\r\nSolutions representative.\r\nThe cybersecurity incident response team (CSIRT) in Orange Cyberdefense provides emergency consulting,\r\nincident management, and technical advice to help customers handle a security incident from initial detection to\r\nclosure and full recovery. If you suspect being attacked, don’t hesitate to call our hotline.\r\nAppendices\r\nANSSI, https://www.cert.ssi.gouv.fr/cti/CERTFR-2024-CTI-010/\r\nUseful Censys query\r\nCyber Peace Institute, https://cyberpeaceinstitute.org/report/2021-03-CyberPeaceInstitute-SAR001-\r\nHealthcare.pdf\r\nFireEye, https://dbac8a2e962120c65098-\r\n4d6abce208e5e17c2085b466b98c2083.ssl.cf1.rackcdn.com/beyond-compliance-cyber-threats-healthcare-pdf-10-w-5570.pdf\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\r\nPage 7 of 8\n\nHackersEye, https://hackerseye.com/dynamic-resources-list/tails-from-the-shadow-apt-41-injecting-shadowpad-with-sideloading/\r\nHunt, https://hunt.io/blog/legacy-threat-plugx-builder-controller-discovered-in-open-directory\r\nHunt, https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nMandiant, https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits?hl=en\r\nPalo Alto, https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/\r\nSecureWorks, https://www.secureworks.com/research/shadowpad-malware-analysis\r\nSentinelOne, https://assets.sentinelone.com/c/shadowpad?x=p42eqa\r\nSophos, https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/#alpha-persistence\r\nSymantec, https://www.security.com/threat-intelligence/chinese-espionage-ransomware\r\nThreatPost, https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828/\r\nSource: https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-an\r\nd-plugx-backdoors\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors" ], "report_names": [ "meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "f0294b63-fb00-41cc-81db-ec7c8d4bb0ca", "created_at": "2024-06-20T02:02:09.94215Z", "updated_at": "2026-04-10T02:00:04.797664Z", "deleted_at": null, "main_name": "Operation Crimson Palace", "aliases": [], "source_name": "ETDA:Operation Crimson Palace", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434687, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b232f7d7b438861bae5e4776e479a4f7e1cf247e.pdf", "text": "https://archive.orkl.eu/b232f7d7b438861bae5e4776e479a4f7e1cf247e.txt", "img": "https://archive.orkl.eu/b232f7d7b438861bae5e4776e479a4f7e1cf247e.jpg" } }