{ "id": "cd9ee2c0-c2a1-4a09-bf1a-7d834ae610ac", "created_at": "2026-04-29T02:20:29.544876Z", "updated_at": "2026-04-29T08:22:09.50067Z", "deleted_at": null, "sha1_hash": "b36d2f14704d33920e77dc0a8488401a9ab9517b", "title": "VajraSpy: A Patchwork of espionage apps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1578057, "plain_text": "VajraSpy: A Patchwork of espionage apps\r\nBy Lukas Stefanko\r\nArchived: 2026-04-29 02:07:55 UTC\r\nESET researchers have identified twelve Android espionage apps that share the same malicious code: six were available on\r\nGoogle Play, and six were found on VirusTotal. All the observed applications were advertised as messaging tools apart from\r\none that posed as a news app. In the background, these apps covertly execute remote access trojan (RAT) code called\r\nVajraSpy, used for targeted espionage by the Patchwork APT group.\r\nVajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled\r\nwith its code. It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract\r\nWhatsApp and Signal messages, record phone calls, and take pictures with the camera.\r\nAccording to our research, this Patchwork APT campaign targeted users mostly in Pakistan.\r\nKey points of the report:\r\nWe discovered a new cyberespionage campaign that, with a high level of confidence, we attribute to the\r\nPatchwork APT group.\r\nThe campaign leveraged Google Play to distribute six malicious apps bundled with VajraSpy RAT code;\r\nsix more were distributed in the wild.\r\nThe apps on Google Play reached over 1,400 installs and are still available on alternative app stores.\r\nPoor operational security around one of the apps allowed us to geolocate 148 compromised devices.\r\nOverview\r\nIn January 2023, we detected a trojanized news app called Rafaqat رفاقت) the Urdu word translates to Fellowship) being\r\nused to steal user information. Further research uncovered several more applications with the same malicious code as\r\nRafaqat رفاقت. Some of these apps shared the same developer certificate and user interface. In total, we analyzed 12\r\ntrojanized apps, six of which (including Rafaqat رفاقت (had been available on Google Play, and six of which were found in\r\nthe wild. The six malicious apps that had been available on Google Play were downloaded more than 1,400 times altogether.\r\nBased on our investigation, the threat actors behind the trojanized apps probably used a honey-trap romance scam to lure\r\ntheir victims into installing the malware.\r\nNote: This research covers specific apps and package names that have since been removed from the Google Play\r\nstore. Any similarly or identically named apps, such as MeetMe, that are still available on Google Play are purely\r\ncoincidental and have not been affected.\r\nAll the apps that were at some point available on Google Play had been uploaded there between April 2021 and March 2023.\r\nThe first of the apps to appear was Privee Talk, uploaded on April 1st, 2021, reaching around 15 installs. Then, in October\r\n2022, it was followed by MeetMe, Let’s Chat, Quick Chat, and Rafaqat رفاق, installed altogether over 1,000 times. The last\r\napp available on Google Play was Chit Chat, which appeared in March 2023 and reached more than 100 installs.\r\nThe apps share several commonalities: most are messaging applications, and all are bundled with the VajraSpy RAT code.\r\nMeetMe and Chit Chat use an identical user login interface; see Figure 1. Furthermore, the Hello Chat (not available on\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 1 of 15\n\nGoogle Play store) and Chit Chat apps were signed by the same unique developer certificate (SHA-1 fingerprint:\r\n881541A1104AEDC7CEE504723BD5F63E15DB6420), which means the same developer created them.\r\nFigure 1. Login screen of Hello Chat (left) and MeetMe and Chit Chat (right)\r\nApart from the apps that used to be available on Google Play, six more messaging applications were uploaded to VirusTotal.\r\nChronologically, YohooTalk was the first to appear there, in February 2022. The TikTalk app appeared on VirusTotal late in\r\nApril 2022; almost immediately afterward, MalwareHunterTeam on X (formerly Twitter) shared it with the domain where it\r\nwas available for download (fich[.]buzz). Hello Chat was uploaded in April 2023. Nidus and GlowChat were uploaded there\r\nin July 2023, and lastly, Wave Chat in September 2023. These six trojanized apps contain the same malicious code as those\r\nfound on Google Play.\r\nFigure 2 shows the dates when each application became available, either on Google Play or as a sample on VirusTotal.\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 2 of 15\n\nFigure 2. Timeline showing the dates when the trojanized apps became available\r\nESET is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to\r\nquickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play.\r\nAs a Google App Defense Alliance partner, ESET identified Rafaqat رفاقت as malicious and promptly shared these findings\r\nwith Google. At that point in time, Rafaqat رفاقت had already been removed from the storefront. Other apps, at the time of\r\nsharing sample with us, were scanned and not flagged as malicious. All the apps identified in the report that were on Google\r\nPlay are no longer on available on the Play store.\r\nVictimology\r\nWhile ESET telemetry data registered detections from Malaysia only, we believe those were only incidental and did not\r\nconstitute the actual targets of the campaign. During our investigation, weak operational security of one of the apps led to\r\nsome victim data being exposed, which allowed us to geolocate 148 compromised devices in Pakistan and India. These were\r\nlikely the actual targets of the attacks.\r\nAnother clue pointing toward Pakistan is the name of the developer used for the Google Play listing of the Rafaqat رفاقت\r\napp. The threat actors used the name Mohammad Rizwan, which is also the name of one of the most popular cricket players\r\nfrom Pakistan. Rafaqat رفاقت and several more of these trojanized apps also had the Pakistani country calling code selected\r\nby default on their login screen. According to Google Translate, رفاقت means \"fellowship\" in Urdu. Urdu is one of national\r\nlanguages in Pakistan.\r\nWe believe the victims were approached via a honey-trap romance scam where the campaign operators feigned romantic\r\nand/or sexual interest in their targets on another platform, and then convinced them to download these trojanized apps.\r\nAttribution to Patchwork\r\nThe malicious code executed by the apps was first discovered in March 2022 by QiAnXin. They named it VajraSpy and\r\nattributed it to APT-Q-43. This APT group targets mostly diplomatic and government entities.\r\nIn March 2023, Meta published its first quarter adversarial threat report that contains their take down operation and tactics,\r\ntechniques and procedures (TTPs) of various APT groups. The report includes take down operation conducted by Patchwork\r\nAPT group that consists of fake social media accounts, Android malware hashes, and distribution vector. The Threat\r\nindicators section of that report includes samples that were analyzed and reported by QiAnXin with the same distribution\r\ndomains.\r\nIn November 2023, Qihoo 360 independently published an article matching malicious apps described by Meta and this\r\nreport, attributing them to VajraSpy malware operated by Fire Demon Snake (APT-C-52), a new APT group.\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 3 of 15\n\nOur analysis of these apps revealed that they all share the same malicious code and belong to the same malware family,\r\nVajraSpy.  Meta’s report includes more comprehensive information, which might give Meta better visibility on the\r\ncampaigns and also more data to identify the APT group. Because of that, we attributed VajraSpy to the Patchwork APT\r\ngroup.\r\nTechnical analysis\r\nVajraSpy is a customizable trojan usually disguised as a messaging application, used to exfiltrate user data. We noticed that\r\nthe malware has been using the same class names across all its observed instances, be they the samples found by ESET or by\r\nother researchers.\r\nTo illustrate, Figure 3 shows a comparison of malicious classes of variants of VajraSpy malware. The screenshot on the left\r\nis a list of malicious classes found in Click App discovered by Meta, the one in the middle lists the malicious classes in\r\nMeetMe (discovered by ESET), and the screenshot on the right shows the malicious classes in WaveChat, a malicious app\r\nfound in the wild. All the apps share the same worker classes responsible for data exfiltration.\r\nFigure 3. The same malicious classes in Click (left), MeetMe (middle), and WaveChat (right) apps\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 4 of 15\n\nFigure 4 and Figure 5 show the code responsible for exfiltrating notifications from the Crazy Talk app mentioned in Meta’s\r\nreport, and the Nidus app, respectively.\r\nFigure 4. Code responsible for intercepting notifications in the Crazy Talk app\r\nFigure 5. Code responsible for intercepting notifications in the Nidus app\r\nThe extent of VajraSpy’s malicious functionalities varies based on the permissions granted to the trojanized application.\r\nFor easier analysis, we have split the trojanized apps into three groups.\r\nGroup One: trojanized messaging applications with basic functionalities\r\nThe first group comprises all the trojanized messaging applications that used to be available on Google Play, i.e., MeetMe,\r\nPrivee Talk, Let’s Chat, Quick Chat, GlowChat, and Chit Chat. It also includes Hello Chat, which wasn’t available on\r\nGoogle Play.\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 5 of 15\n\nAll the applications in this group provide standard messaging functionality, but first, they require the user to create an\r\naccount. Creating an account depends on phone number verification via a one-time SMS code – if the phone number cannot\r\nbe verified, the account will not be created. However, whether the account is created or not is mostly irrelevant to the\r\nmalware, as VajraSpy runs regardless. The one possible utility of having the victim verify the phone number could be for the\r\nthreat actors to learn their victim’s country code, but this is just speculation on our part.\r\nThese apps share the same malicious functionality, being capable of exfiltrating the following:\r\ncontacts,\r\nSMS messages,\r\ncall logs,\r\ndevice location,\r\na list of installed apps, and\r\nfiles with specific extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and\r\n.opus).\r\nSome of the apps can exploit their permissions to access notifications. If such permission is granted, VajraSpy can intercept\r\nreceived messages from any messaging application, including SMS messages.\r\nFigure 6 shows a list of file extensions that VajraSpy is capable of exfiltrating from a device.\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 6 of 15\n\nFigure 6. File extensions of exfiltrated files\r\nThe operators behind the attacks used Firebase Hosting, a web content hosting service, for the C\u0026C server. Apart from\r\nserving as the C\u0026C, the server was also used to store the victims’ account information and exchanged messages. We\r\nreported the server to Google, since they provide Firebase.\r\nGroup Two: trojanized messaging applications with advanced functionalities\r\nGroup two consists of TikTalk, Nidus, YohooTalk, and Wave Chat, as well as the instances of VajraSpy malware described\r\nin other research pieces, such as Crazy Talk (covered by Meta and QiAnXin).\r\nAs with those in Group One, these apps ask the potential victim to create an account and verify their phone number using a\r\none-time SMS code. The account won’t be created if the phone number is not verified, but VajraSpy will run anyway.\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 7 of 15\n\nThe apps in this group possess expanded capabilities compared to those in Group One. In addition to the first group’s\r\nfunctionalities, these apps are able to exploit built-in accessibility options to intercept WhatsApp, WhatsApp Business, and\r\nSignal communication. VajraSpy logs any visible communication from these apps in the console and in the local database,\r\nand subsequently uploads it to the Firebase-hosted C\u0026C server. To illustrate, Figure 7 depicts the malware logging\r\nWhatsApp communication in real time.\r\nFigure 7. User opened WhatsApp chat (left), and VajraSpy logged and sotred all visible text (right)\r\nAdditionally, their extended capabilities allow them to spy on chat communications and intercept notifications. All in all, the\r\nGroup Two apps are capable of exfiltrating the following in addition to those that can be exfiltrated by Group One apps:\r\nreceived notifications, and\r\nexchanged messages in WhatsApp, WhatsApp Business, and Signal.\r\nOne of the apps in this group, Wave Chat, has even more malicious capabilities on top of those we have already covered. It\r\nalso behaves differently upon initial launch, asking the user to allow accessibility services. Once allowed, these services\r\nautomatically enable all the necessary permissions on the user’s behalf, expanding the scope of VajraSpy’s access to the\r\ndevice. In addition to the previously mentioned malicious functionality, Wave Chat can also:\r\nrecord phone calls,\r\nrecord calls from WhatsApp, WhatsApp Business, Signal, and Telegram,\r\nlog keystrokes,\r\ntake pictures using the camera,\r\nrecord surrounding audio, and\r\nscan for Wi-Fi networks.\r\nWave Chat can receive a C\u0026C command to take a picture using the camera, and another command to record audio, either for\r\n60 seconds (by default) or for the amount of time specified in the server response. The captured data is then exfiltrated to the\r\nC\u0026C via POST requests.\r\nTo receive commands and store user messages, SMS messages, and the contact list, Wave Chat uses a Firebase server. For\r\nother exfiltrated data, it uses a different C\u0026C server and a client based on an open-source project called Retrofit. Retrofit is\r\nan Android REST client in Java that makes it easy to retrieve and upload data via a REST-based web service. VajraSpy uses\r\nit to upload user data unencrypted to the C\u0026C server via HTTP.\r\nGroup Three: non-messaging applications\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 8 of 15\n\nSo far, the only application that belongs to this group is the one that kicked off this research in the first place – Rafaqat\r\nرفاقت. It is the only VajraSpy application that is not used for messaging, and is ostensibly used to deliver the latest news.\r\nSince news apps don’t need to request intrusive permissions such as access to SMS messages or call logs, the malicious\r\ncapabilities of Rafaqat رفاقت are limited when compared to the other analyzed applications.\r\nRafaqat رفاقت was uploaded to Google Play on October 26th, 2022 by a developer going by the name Mohammad Rizwan,\r\nwhich is also the name of one of the most popular Pakistani cricket players. The application reached over a thousand installs\r\nbefore being removed from the Google Play store.\r\nInterestingly, the same developer submitted two more apps with an identical name and malicious code for upload to Google\r\nPlay some weeks before Rafaqat رفاقت appeared. However, these two apps were not published on Google Play.\r\nThe app’s login interface with the Pakistan country code preselected can be seen in Figure 8.\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 9 of 15\n\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 10 of 15\n\nFigure 8. Login screen for the Rafaqat رفاقت app\r\nWhile the app requires a login using a phone number upon launch, no number verification is implemented, meaning that the\r\nuser can employ any phone number to log in.\r\nRafaqat رفاقت can intercept notifications and exfiltrate the following:\r\ncontacts, and\r\nfiles with specific extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and\r\n.opus).\r\nFigure 9 shows the exfiltration of a received SMS message using the permission to access notifications.\r\nFigure 9. Exfiltration of a user notification (for a received SMS message)\r\nConclusion\r\nESET Research has discovered an espionage campaign using apps bundled with VajraSpy malware conducted, with a high\r\nlevel of confidence, by the Patchwork APT group. Some apps were distributed via Google Play and also found, along with\r\nothers, in the wild. Based on the available numbers, the malicious apps that used to be available on Google Play were\r\ndownloaded more than 1,400 times. A security flaw in one of the apps further revealed 148 compromised devices.\r\nBased on several indicators, the campaign targeted mostly Pakistani users: Rafaqat رفاقت, one of the malicious apps, used\r\nthe name of a popular Pakistani cricket player as the developer name on Google Play; the apps that requested a phone\r\nnumber upon account creation have the Pakistan country code selected by default; and many of the compromised devices\r\ndiscovered through the security flaw were located in Pakistan.\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 11 of 15\n\nTo entice their victims, the threat actors likely used targeted honey-trap romance scams, initially contacting the victims on\r\nanother platform and then convincing them to switch to a trojanized chat application. This was also reported in the Qihoo\r\n360 research, where threat actors started initial communication with victims via Facebook Messenger and WhatsApp, then\r\nmoved to a trojanized chat application.\r\nCybercriminals wield social engineering as a powerful weapon. We strongly recommend against clicking any links to\r\ndownload an application that are sent in a chat conversation. It can be hard to stay immune to spurious romantic advances,\r\nbut it pays off to always be vigilant.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Package name ESET detection name Description\r\nBAF6583C54FC680AA6F71F3B694E71657A7A99D0 com.hello.chat Android/Spy.VajraSpy.B VajraSpy trojan.\r\n846B83B7324DFE2B98264BAFAC24F15FD83C4115 com.chit.chat Android/Spy.VajraSpy.A VajraSpy trojan.\r\n5CFB6CF074FF729E544A65F2BCFE50814E4E1BD8 com.meeete.org Android/Spy.VajraSpy.A VajraSpy trojan.\r\n1B61DC3C2D2C222F92B84242F6FCB917D4BC5A61 com.nidus.no Android/Spy.Agent.BQH VajraSpy trojan.\r\nBCD639806A143BD52F0C3892FA58050E0EEEF401 com.rafaqat.news Android/Spy.VajraSpy.A VajraSpy trojan.\r\n137BA80E443610D9D733C160CCDB9870F3792FB8 com.tik.talk Android/Spy.VajraSpy.A VajraSpy trojan.\r\n5F860D5201F9330291F25501505EBAB18F55F8DA com.wave.chat Android/Spy.VajraSpy.C VajraSpy trojan.\r\n3B27A62D77C5B82E7E6902632DA3A3E5EF98E743 com.priv.talk Android/Spy.VajraSpy.C VajraSpy trojan.\r\n44E8F9D0CD935D0411B85409E146ACD10C80BF09 com.glow.glow Android/Spy.VajraSpy.A VajraSpy trojan.\r\n94DC9311B53C5D9CC5C40CD943C83B71BD75B18A com.letsm.chat Android/Spy.VajraSpy.A VajraSpy trojan.\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 12 of 15\n\nSHA-1 Package name ESET detection name Description\r\nE0D73C035966C02DF7BCE66E6CE24E016607E62E com.nionio.org Android/Spy.VajraSpy.C VajraSpy trojan.\r\n235897BCB9C14EB159E4E74DE2BC952B3AD5B63A com.qqc.chat Android/Spy.VajraSpy.A VajraSpy trojan.\r\n8AB01840972223B314BF3C9D9ED3389B420F717F com.yoho.talk Android/Spy.VajraSpy.A VajraSpy trojan.\r\nNetwork\r\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n34.120.160[.]131\r\nhello-chat-c47ad-default-rtdb.firebaseio[.]com\r\nchit-chat-e9053-default-rtdb.firebaseio[.]com\r\nmeetme-abc03-default-rtdb.firebaseio[.]com\r\nchatapp-6b96e-default-rtdb.firebaseio[.]com\r\ntiktalk-2fc98-default-rtdb.firebaseio[.]com\r\nwave-chat-e52fe-default-rtdb.firebaseio[.]com\r\nprivchat-6cc58-default-rtdb.firebaseio[.]com\r\nglowchat-33103-default-rtdb.firebaseio[.]com\r\nletschat-5d5e3-default-rtdb.firebaseio[.]com\r\nquick-chat-1d242-default-rtdb.firebaseio[.]com\r\nyooho-c3345-default-rtdb.firebaseio[.]com\r\nGoogle LLC\r\n2022-04-\r\n01\r\nVajraSpy C\u0026C\r\nservers\r\n35.186.236[.]207\r\nrafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase[.]app\r\nGoogle LLC\r\n2023-03-\r\n04\r\nVajraSpy C\u0026C\r\nserver\r\n160.20.147[.]67 N/A\r\naurologic\r\nGmbH\r\n2021-11-\r\n03\r\nVajraSpy C\u0026C\r\nserver\r\nMITRE ATT\u0026CK techniques\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 13 of 15\n\nThis table was built using version 14 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nPersistence T1398\r\nBoot or Logon\r\nInitialization Scripts\r\nVajraSpy receives the BOOT_COMPLETED broadcast\r\nintent to activate at device startup.\r\nDiscovery\r\nT1420\r\nFile and Directory\r\nDiscovery\r\nVajraSpy lists available files on external storage.\r\nT1422\r\nSystem Network\r\nConfiguration Discovery\r\nVajraSpy extracts the IMEI, IMSI, phone number, and\r\ncountry code.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nVajraSpy extracts information about the device,\r\nincluding SIM serial number, device ID, and common\r\nsystem information.\r\nT1418 Software Discovery VajraSpy can obtain a list of installed applications.\r\nCollection T1533 Data from Local System VajraSpy exfiltrates files from the device.\r\nT1430 Location Tracking VajraSpy tracks device location.\r\nT1636.002\r\nProtected User Data:\r\nCall Logs\r\nVajraSpy extracts call logs.\r\nT1636.003\r\nProtected User Data:\r\nContact List\r\nVajraSpy extracts the contact list.\r\nT1636.004\r\nProtected User Data:\r\nSMS Messages\r\nVajraSpy extracts SMS messages.\r\nT1517 Access Notifications VajraSpy can collect device notifications.\r\nT1429 Audio Capture VajraSpy can record microphone audio and record calls.\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 14 of 15\n\nTactic ID Name Description\r\nT1512 Video Capture VajraSpy can take pictures using the camera.\r\nT1417.001\r\nInput Capture:\r\nKeylogging\r\nVajraSpy can intercept all interactions between a user\r\nand the device.\r\nCommand and\r\nControl\r\nT1437.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nVajraSpy uses HTTPS to communicate with its C\u0026C\r\nserver.\r\nT1481.003\r\nWeb Service: One-Way\r\nCommunication\r\nVajraSpy uses Google’s Firebase server as a C\u0026C.\r\nExfiltration T1646\r\nExfiltration Over C2\r\nChannel\r\nVajraSpy exfiltrates data using HTTPS.\r\nImpact T1641 Data Manipulation\r\nVajraSpy removes files with specific extensions from\r\nthe device, and deletes all user call logs and the contact\r\nlist.\r\nSource: https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nhttps://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" ], "report_names": [ "vajraspy-patchwork-espionage-apps" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-29T06:58:57.526159Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-29T06:58:58.103637Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-29T06:58:57.724114Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-29T06:58:57.711501Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1777429229, "ts_updated_at": 1777450929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b36d2f14704d33920e77dc0a8488401a9ab9517b.pdf", "text": "https://archive.orkl.eu/b36d2f14704d33920e77dc0a8488401a9ab9517b.txt", "img": "https://archive.orkl.eu/b36d2f14704d33920e77dc0a8488401a9ab9517b.jpg" } }