{ "id": "ae93d28e-7fa6-445d-ac05-64903583a55c", "created_at": "2026-04-06T00:07:21.897249Z", "updated_at": "2026-04-10T03:33:03.080888Z", "deleted_at": null, "sha1_hash": "b24044ebde19d0c20841fccdeadfb6235505cc1c", "title": "EHDevel – The story of a continuously improving advanced threat creation toolkit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 384816, "plain_text": "EHDevel – The story of a continuously improving advanced threat\r\ncreation toolkit\r\nBy Alexandru MAXIMCIUC\r\nArchived: 2026-04-05 18:30:06 UTC\r\nMore than a year ago, on July 26th 2016, the Bitdefender Threat Intelligence Team came across a suspicious\r\ndocument called News.doc.  However, unlike most potentially malicious documents that get processed in our labs,\r\nthis file displayed similarities with a set of files known to have been used in separate attacks targeted at different\r\ninstitutions.\r\nOur technical dive into the file lead us to a sophisticated malware framework that uses a handful of novel\r\ntechniques for command and control identification and communications, as well as a plugin-based architecture, a\r\ndesign choice increasingly being adopted among threat actor groups in the past few years.\r\nDubbed EHDevel, this operation continues to this date, the latest known victims reportedly being several Pakistani\r\nindividuals. In their case, the threat actors have chosen different lures than the ones presented in this paper, but the\r\nmodus operandi is identical. Another important discovery lies in the fact that this  specialized framework that has\r\nbeen used to gather field intelligence for years in different shapes and forms, and our threat intelligence suggests a\r\nconnection with the 2013 Operation Hangover APT as well. Our technical dive into the framework revealed an\r\nintricate mix of transitions from one programming language to another, code under active development and bugs\r\nthat were not spotted during the QA process (if there were any).\r\nMidway through our research, additional technical information and news of EHDevel framework have emerged.\r\nYou can find a partial technical description of EHDevel over at 4HOU (warning: Chinese), as well as news on the\r\nIndia/Pakistan cyberattack in a Reuters report.\r\nDownload the whitepaper\r\nSource: https://www.bitdefender.com/blog/labs/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/\r\nhttps://www.bitdefender.com/blog/labs/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bitdefender.com/blog/labs/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" ], "report_names": [ "ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434041, "ts_updated_at": 1775791983, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b24044ebde19d0c20841fccdeadfb6235505cc1c.pdf", "text": "https://archive.orkl.eu/b24044ebde19d0c20841fccdeadfb6235505cc1c.txt", "img": "https://archive.orkl.eu/b24044ebde19d0c20841fccdeadfb6235505cc1c.jpg" } }