{ "id": "01ff03bd-ae9e-4bc6-bdaa-56441e244791", "created_at": "2026-04-06T00:06:30.504563Z", "updated_at": "2026-04-10T03:36:33.388817Z", "deleted_at": null, "sha1_hash": "b4f1bcbef3b1af8fe39101d47b6d70e34214e0eb", "title": "New Wave of Espionage Activity Targets Asian Governments", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71811, "plain_text": "New Wave of Espionage Activity Targets Asian Governments\r\nBy About the Author\r\nArchived: 2026-04-05 13:18:17 UTC\r\nA distinct group of espionage attackers who were formerly associated with the ShadowPad remote access Trojan\r\n(RAT) has adopted a new, diverse toolset to mount an ongoing campaign against a range of government and state-owned organizations in a number of Asian countries. The attacks, which have been underway since at least early\r\n2021, appear to have intelligence gathering as their main goal.\r\nThe current campaign appears to be almost exclusively focused on government or public entities, including:\r\nHead of government/Prime Minister’s Office\r\nGovernment institutions linked to finance\r\nGovernment-owned aerospace and defense companies\r\nState-owned telecoms companies\r\nState-owned IT organizations\r\nState-owned media companies\r\nTools\r\nA notable feature of these attacks is that the attackers leverage a wide range of legitimate software packages in\r\norder to load their malware payloads using a technique known as DLL side-loading. Usually, the attackers used\r\nmultiple software packages in a single attack. In many cases, old and outdated versions of software are used,\r\nincluding security software, graphics software, and web browsers. In some cases, legitimate system files from the\r\nlegacy operating system Windows XP are used. The reason for using outdated versions is that most current\r\nversions of the software used would have mitigation against side-loading built-in.\r\nDLL side-loading is a well-known technique that involves attackers placing a malicious DLL in a directory where\r\na legitimate DLL is expected to be found. The attacker then runs the legitimate application themselves (having\r\ninstalled it themselves in most cases). The legitimate application then loads and executes the payload.\r\nOnce a malicious DLL is loaded by the attackers, malicious code is executed, which in turn loads a .dat file. This\r\nfile contains arbitrary shellcode that is used to execute a variety of payloads and associated commands in memory.\r\nIn some cases, the arbitrary shellcode is encrypted.\r\nThe attackers also leverage these legitimate software packages to deploy additional tools, which are used to\r\nfurther aid in lateral movement. These tools include credential dumping tools, a number of network scanning tools\r\n(NBTScan, TCPing, FastReverseProxy, and FScan), and the Ladon penetration testing framework.\r\nAttacks usually unfold in the following manner:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\r\nPage 1 of 8\n\nOnce backdoor access is gained, the attackers use Mimikatz and ProcDump to steal credentials. In some\r\ncases, the attackers dump credentials via the registry.\r\nThey then use network scanning tools to identify other computers of interest, such as those running RDP,\r\nwhich could facilitate lateral movement.\r\nThey leverage PsExec to run old versions of legitimate software, which are then used to load additional\r\nmalware tools such as off-the-shelf RATS via DLL side-loading on other computers on the networks.\r\nThe attackers also use a number of living-off-the-land tools such as Ntdsutil to mount snapshots of Active\r\nDirectory servers in order to gain access to Active Directory databases and log files. The Dnscmd\r\ncommand line tool is also used to enumerate network zone information. \r\nCase Study: An unfolding attack\r\nIn April 2022, the attackers targeted a government-owned organization in the education sector in Asia and\r\nmanaged to stay on its network until July. During the period of the compromise, the attackers accessed computers\r\nhosting databases and emails and eventually made their way to the domain controller.\r\nThe first sign of malicious activity occurred on April 23, when a malicious command was executed via\r\nimjpuex.exe (SHA256: fb5bc4baece5c3ab3dabf84f8597bed3c3f2997336c85c84fdf4beba2dcb700f). The file\r\nimjputyc.exe is a legitimate Windows XP file that was used by the attackers to side-load a malicious DLL file\r\n(imjputyc.dll), which in turn was used to load a .dat file (payload - imjputyc.dat). Following this activity,\r\nimjputyc.exe was used to launch a network service via svchost.exe, likely created by the malicious payload.\r\nCSIDL_SYSTEMX86\\svchost.exe NetworkService 7932\r\nAdditionally, around the same time, the attackers leveraged Imjpuex.exe to install and execute an eleven-year-old\r\nversion of Bitdefender Crash Handler (file name: javac.exe, SHA256:\r\n386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd). While Crash Handler was used for\r\nside-loading in this attack, it is just one of many old versions of applications that have been used by this group in\r\nrecent months.\r\nThe same Crash Handler executable was copied to CSIDL_SYSTEM_DRIVE\\xampp\\tmp\\vmware.exe and\r\nexecuted.\r\nThe attackers then installed and executed ProcDump in order to dump credentials from the Local Security\r\nAuthority Server Service (LSASS):\r\n p.exe -accepteula -ma lsass.exe lsass2.dmp\r\nThe attackers then launched several command prompts while reloading Crash Handler. This was likely done in\r\norder to install additional tools.\r\nShortly afterwards, a file called calc.exe (SHA256:\r\n912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9) appeared on the machine and was\r\nexecuted by the attackers. This was a renamed version of Mimikatz that the attackers then used to dump\r\ncredentials:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\r\nPage 2 of 8\n\ncalc.exe \"\"privilege::debug\"\" \"\"sekurlsa::logonpasswords full\" \" exit \"\r\nOn April 26, further malicious activity occurred when the attackers ran the Crash Handler executable and installed\r\na file called cal.exe (SHA256: 12534f7014b3338d8f9f86ff1bbeacf8c80ad03f1d0d19077ff0e406c58b5133) on the\r\ncompromised machine.\r\nThis file was LadonGo v3.8, a publicly available penetration testing framework that is written in Go. The attackers\r\nappear to have used LadonGo to scan the internal network for machines with RDP services running and attempted\r\nto exploit or log in to those machines using the credentials they stole several days earlier. There was also some\r\nevidence of brute-force login attempts against machines of interest.\r\nOn May 6, the attackers resumed their attack and ran the Crash Handler executable (this time named svchost.exe)\r\nand installed a new variant of Mimikatz named test.exe (SHA256:\r\n912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9). This was likely done in order to\r\nobtain more credentials. The attackers then ran LadonGo and attempted to exploit a Netlogon vulnerability (CVE-2020-1472) against two other computers in the organization in order to elevate privileges.\r\nOn May 16, the attackers increased their level of activity and began moving laterally across the organization’s\r\nnetwork from the initially compromised computer (Computer #1).\r\nOn a second computer (Computer #2), the attackers launched a command prompt and executed a variant of\r\nMimikatz (file name: test.exe, SHA256:\r\n912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9). The attackers then deployed a\r\nnumber of Knowledge Base files (e.g. kb0394623.exe) on the computer. These files are legitimate copies of the\r\nWindows command prompt (with 16 bytes of the rich header modified).\r\nOn a third computer (Computer #3) the attackers used PsExec to execute the same older version of Crash Handler\r\nused on Computer #1, this time named javac.exe. A copy of this executable was then made to\r\ncsidl_program_files\\windows mail\\winmailservice.exe and was executed.\r\nThe attackers then ran dnscmd.exe (SHA256:\r\n67877821bf1574060f4e45ab8be62e28f54fb40a23ce70b86a6369a4d63db5bc), which was used to enumerate DNS\r\nconfiguration information on the compromised computer:\r\nDnscmd . /EnumZones\r\nDnscmd is a Microsoft command-line tool for managing DNS servers. It can be used to script batch files to help\r\nautomate routine DNS management tasks or to perform routine setup of new DNS servers. The enumzones\r\ncommand is used to list the zones that exist on the specified DNS server. If no filters are specified, a complete list\r\nof zones is returned.\r\nCrash Handler was then used to install imjpuex.exe in the csidl_common_appdata\\veritas directory which in turn\r\nwas used to side-load a DLL file of the same name and load a .dat file to execute an unknown custom payload.\r\nShortly after this, the attackers attempted to list the records of multiple specific zones by specifying the domain on\r\nthe command line:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\r\nPage 3 of 8\n\nDnscmd . /ZonePrint [REDACTED_DOMAIN]\r\nOn a fourth computer (Computer #4), the attackers used PsExec to execute Crash Handler (this time named\r\ntest.exe). They then installed and executed two KB files in the %TEMP% directory.\r\n•             SHA256: 5c4456f061ff764509a2b249f579a5a14d475c6714f714c5a45fdd67921b9fda\r\n•             SHA256: ded734f79058c36a6050d801e1fb52cd5ca203f3fd6af6ddea52244132bd1b51\r\nAgain, both of these files were modified versions of the Windows command prompt.\r\nOn May 17, the attackers deployed several more modified Windows command prompt applications on Computer\r\n#4. They also deployed the side-loading technique on Computer #5 to execute the legitimate svchost.exe\r\napplication, possibly to facilitate some process injection.\r\nOn May 19, the attackers returned to Computer #5 and used svchost to launch NetworkService. The attackers then\r\nused a variant of Mimikatz named calc.exe, which was previously used earlier in the attack (SHA256:\r\n912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9). Mimikatz was used to dump\r\ncredentials from the compromised host.\r\nOn May 24, the attackers turned their attention to Computer #3, using PsExec to execute the whoami command\r\nand determine the currently logged-in user. They then ran an unknown batch file name t.bat via PsExec.\r\nIt is likely the following commands were executed from this script in order to create a new user account:\r\nnet user [REDACTED]\r\nCSIDL_SYSTEM\\net1 user [REDACTED] Asd123.aaaa /add\r\nnet localgroup [REDACTED] [REDACTED]/add\r\nCSIDL_SYSTEM\\net1 localgroup [REDACTED]  /add\r\nCSIDL_SYSTEM\\net1 user [REDACTED] Asd123.aaaa /add\r\nThe script uses net.exe to check if a specific user account already exists. It then attempts to create a user account\r\nwith the password Asd123.aaaa and add it to the local group on the machine. Several minutes later, the task\r\nmanager was launched followed by a command prompt. The attackers then ran the following command to mount a\r\nsnapshot of the active directory server.\r\nntdsutil snapshot \"mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb\" quit quit\r\nThese snapshots contain sensitive information such as the active directory database (i.e. user credentials) and log\r\nfiles. The string c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb is the index number of the snapshot.\r\nThe attackers then moved to Computer #5, where they used ProcDump (file name: p.exe, SHA256:\r\n2f1520301536958bcf5c65516ca85a343133b443db9835a58049cd1694460424) to dump credentials from LSASS:\r\np.exe -accepteula -ma lsass.exe lsass2.dmp \r\nOn May 26, the attackers returned to Computer #1 and executed a file called go64.exe. This file was a copy of\r\nFscan. The attackers ran the following command to mass scan for any machines within the compromised network\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\r\nPage 4 of 8\n\n(specifically a class C scan against machines in the IP range 10.72.0.0 → 10.72.0.255) with RDP services:\r\ngo64.exe -h 10.72.0.101/24 -pa 3389\r\nThere is also evidence that the attackers leveraged Fscan in order to perform exploit attempts against other\r\nmachines on the network, including leveraging one of the ProxyLogon vulnerabilities (CVE-2021-26855) against\r\nan Exchange Server. Suspicious SMB activity also occurred around this time, suggesting the attackers may have\r\nalso leveraged other exploits (likely EternalBlue) against any open SMB services. \r\nOn June 6, the attackers ran PsExec on Computer #3 to launch the previously used old version of Crash Handler\r\n(file name: winnet.exe) from the %USERPROFILE%\\public\\ directory.\r\nThey ran the Dnscmd utility again to enumerate all available zones, before executing winnet.exe again and a copy\r\nof Crash Handler located at APPDATA%\\t.exe to load additional malicious payloads (likely used to install\r\nProcExplorer):\r\nDnscmd . /EnumZones \r\n\"CSIDL_COMMON_APPDATA\\t.exe\" \r\nSeveral hours later, ProcExplorer (64-bit) was launched:\r\n\"CSIDL_PROFILE\\desktop\\processexplorer\\procexp64.exe\" \r\nThe last known malicious activity occurred on July 8 on Computer #3. The system hive file was dumped from the\r\nregistry in order to dump user credentials. \r\nreg save HKLM\\SYSTEM system.hiv \r\nPayloads\r\nWhile this group of attackers was previously using ShadowPad, it has since moved on and has been deploying a\r\nrange of payloads.\r\nOne of the payloads used was a previously unseen, feature-rich information stealer (Infostealer.Logdatter), which\r\nappeared to be custom built. Its capabilities included:\r\nKeylogging\r\nTaking screenshots\r\nConnecting to and querying SQL databases\r\nCode injection: Reading a file and injecting the contained code into a process\r\nDownloading files\r\nStealing clipboard data\r\nOther payloads used by the attackers included:\r\nPlugX/Korplug Trojan\r\nTrochilus RAT\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\r\nPage 5 of 8\n\nQuasarRAT\r\nLadon penetration testing framework\r\nNirsoft Remote Desktop PassView: A publicly available tool that reveals the password stored by the\r\nMicrosoft Remote Desktop Connection utility inside .rdp files\r\nA Simple Network Management Protocol (SNMP) scanning tool\r\nFscan: A publicly available intranet scanning tool\r\nNbtscan: A command-line tool that scans for open NETBIOS name servers\r\nFileZilla: A legitimate FTP client\r\nFastReverseProxy: A reverse proxy tool\r\nWebPass: A publicly available password collection tool\r\nTCPing: A publicly available tool that enables pings over TCP\r\nVarious process dumpers\r\nVarious keyloggers\r\nA number of PowerSploit scripts\r\nLinks to earlier activity\r\nShadowPad is a modular RAT that was designed as a successor to the Korplug/PlugX Trojan and was, for a period\r\nof time, sold on underground forums. However, despite its origins as a publicly available tool, it has since been\r\nclosely linked to espionage actors. The tool was only sold publicly for a very short period of time and it is\r\nbelieved that it was only sold to a handful of buyers.\r\nThere is limited evidence to suggest links to past attacks involving the Korplug/PlugX malware and to attacks by a\r\nnumber of known groups, including Blackfly/Grayfly (APT41) and Mustang Panda. For example, the attackers\r\nleveraged a legitimate file called HPCustParticUI.exe, which was developed by HP for digital imaging\r\napplications. This previously occurred in attacks involving Korplug/Plug X. Furthermore, the attackers used a file\r\ncalled hpcustpartui.dll as a likely loader. The same loader was used in a long-running campaign involving\r\nKorplug/Plug X targeting the Roman Catholic Church.\r\nThe current campaign uses a legitimate Bitdefender file to side-load shellcode. This same file and technique were\r\nobserved in previous attacks linked to APT41. We have also observed the same keylogging tool deployed in\r\nprevious attacks against critical infrastructure in South East Asia.\r\nThe use of legitimate applications to facilitate DLL side-loading appears to be a growing trend among espionage\r\nactors operating in the region. Although a well-known technique, it must be yielding some success for attackers\r\ngiven its current popularity. Organizations are encouraged to thoroughly audit software running on their networks\r\nand monitor for the presence of outliers, such as old, outdated software or packages that are not officially used by\r\nthe organization.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\r\nPage 6 of 8\n\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nLegitimate applications abused for side-loading\r\n386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd – Bitdefender Crash Handler (2011)\r\nLoaders\r\n1a95c0b8046aafa8f943bd6b68f3de550177f8df8c382f12468c4dcb416b12bc – log.dll\r\n138c82c81ed7b84378a821074c88157c489d29d5ef66080baea88f5de0e865e6 – log.dll\r\n704e6eb9bded6d22feab88fa81e6b0b901bee7a451a290c20527c48c235ebf52 – breakpad.dll\r\n7a25b21df9fa93a694f15d18cd81c9f9be6fc078912924c91c645f75a5966881 – breakpad.dll\r\n1d6aabf2114f9e6367b515d4ebfc6e104511ff4b05bd51a56fa52070c1d40e25 – breakpad.dll\r\n5bedd1b05879b900b60a07abc57fab3075266ee7fa72385ced582699a51f1ec7 – breakpad.dll\r\n49c23a187810edd3c16689ee1766445ec49a7221507dbe51e7b5af8ec46a91ee – breakpad.dll\r\ne51fc50defd89da446ddc0391e53ace60b016e497c5cb524fd81efdeadda056d – breakpad.dll\r\nPayloads\r\n2237e15b094983a79f60bc1f7e962b7fb63aae75cbf5043ee636be4c8fdb9bee – Korplug\r\nb7f6cf8a6a697b254635eb0b567e2a897c7f0cefb0c0d4576326dc3f0eb09922 – Korplug\r\n1c7e2d6ae46ff6c294885cb7936c905f328b303d6f790b66d7c4489f284c480a – QuasarRAT\r\nc3ae09887659cde70d636157c5a0efd36359efdfb2fe6a8e2cdd4e5b37528f51 – TrochilusRAT\r\nAdditional tools\r\nfa7eee6e322bfad1bb0487aa1275077d334f5681f0b4ede0ee784c0ec1567e01 – NBTScan\r\nd274190a347df510edf6b9a16987cea743d8df0e4c16af10787a31f0fec66da2 – NBTScan\r\n20c767d32304ed2812ed8186dc14ddaaae581481c6dee26447a904fcaa67db2a – NBTScan\r\ncf5537af7dd1d0dbb77e327474aa58b2853cb1a1d4190991ac3d9ca40b7841aa – NBTScan\r\ndf9a2471c23790a381e286bb96ea3401b94686b7ca067297a7920a76a7202112 – Loader\r\n05fb86d34d4fa761926888e5347d96e984bbb1f3b693fe6c3ab77edb346f005b – FScan\r\naba3e885768a6436b3c8bc208b328620f001c63db7a3efe6142e653cdf5dfbf7 – FScan\r\n0f81c3850bc82a7d1927cf16bfad86c09414f8be319ef84b44a726103b7d029d – Powerview\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\r\nPage 7 of 8\n\n9f04c46e0cdaa5bce32d98065e1e510a5f174e51b399d6408f2446444cccd5ff – TCPing\r\n12534f7014b3338d8f9f86ff1bbeacf8c80ad03f1d0d19077ff0e406c58b5133 – Ladon\r\n23d0eff3c37390d38e6386a964c88ac2dafbace92090a762ae9e23bd49510f09 – WebPass\r\n3e53deb5d2572c0f9fae10b870c8d4f5fdc7bd0fe1cc3b15ca91b31924373136 – WebPass\r\n2f1520301536958bcf5c65516ca85a343133b443db9835a58049cd1694460424 – ProcDump\r\n912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9 – Mimikatz\r\n38d4456b38a2896f23cad615e3c9167e65434778074a9b24af3cbc14d1e323bf – cmd.exe (tampered copy of\r\nlegitimate cmd.exe)\r\n77358157efbf4572c2d7f17a1a264990843307f802d20bad4fb2442245d65f0b – ProcessExplorer\r\nNetwork\r\n88.218.193.76 (used to host malware)\r\n8.214.122.199\r\n103.56.114.69\r\n27.124.17.222\r\n27.124.3.96\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\r\nPage 8 of 8\n\n2f1520301536958bcf5c65516ca85a343133b443db9835a58049cd1694460424) p.exe -accepteula -ma lsass.exe lsass2.dmp to dump credentials from LSASS:\nOn May 26, the attackers returned to Computer #1 and executed a file called go64.exe. This file was a copy of\nFscan. The attackers ran the following command to mass scan for any machines within the compromised network\n Page 4 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments" ], "report_names": [ "espionage-asia-governments" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433990, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b4f1bcbef3b1af8fe39101d47b6d70e34214e0eb.pdf", "text": "https://archive.orkl.eu/b4f1bcbef3b1af8fe39101d47b6d70e34214e0eb.txt", "img": "https://archive.orkl.eu/b4f1bcbef3b1af8fe39101d47b6d70e34214e0eb.jpg" } }