{ "id": "460c6dd7-2f32-4c92-bdfc-3f6bd28baea3", "created_at": "2026-04-06T00:07:24.289321Z", "updated_at": "2026-04-10T03:36:33.932238Z", "deleted_at": null, "sha1_hash": "b5163fedaa03cd59f8742afac4a95c27cdf9fd9c", "title": "Hive0154 Mustang Panda Shifts Focus Tibetan Community Deploy Pubload Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4964453, "plain_text": "Hive0154 Mustang Panda Shifts Focus Tibetan Community Deploy\r\nPubload Backdoor\r\nBy Golo Mühr, Joshua Chung\r\nPublished: 2025-06-23 · Archived: 2026-04-05 19:00:10 UTC\r\nJoshua Chung\r\nCyber Threat Intelligence Analyst\r\nIBM Security\r\nSummary\r\nIn June 2025, IBM X-Force researchers discovered China-aligned threat actor, Hive0154, spreading Pubload\r\nmalware featuring lure documents and filenames targeting the Tibetan community. The Tibetan sovereignty\r\ndispute is often invoked by Chinese threat groups in their cyber operations, with the latest campaign\r\ncoinciding with activities leading up to a major event for the Tibetan community, the Dalai Lama's 90th birthday.\r\nSeveral lures observed feature the following topics related to the Tibetan community:\r\nThe 9th World Parliamentarians' Convention on Tibet (WPCT), held from 06/02 - 06/04 in Tokyo, Japan.\r\nChina’s education policy in the Tibet Autonomous Region (TAR). The topic is of high importance to the\r\nTibetan community, and cultural assimilation in Tibet has been noted by Human Rights Watch in its report. \r\nThe March 2025 book Voice for the Voiceless, published by the Tibetan leader-in-exile, the Dalai Lama.\r\nThe book discusses the Dalai Lama's dialogue with Chinese leaders regarding the independence of Tibet.\r\nKey findings\r\nChina-aligned threat actor Hive0154 has spread numerous phishing lures in targeted campaigns throughout\r\n2025 to deploy the Pubload backdoor\r\nHive0154 devises filenames referencing various geopolitical topics tailored to elicit increased interest from\r\nthe targeted recipients\r\nAs of May 2025, X-Force noticed an increased focus on topics tailored to target the Tibetan community\r\nThe phishing campaigns reference the 9th World Parliamentarians' Convention on Tibet (WPCT) held in\r\nTokyo in June, China’s education policy in the Tibet Autonomous Region (TAR) and the 2025 book Voice\r\nfor the Voiceless by the Dalai Lama\r\nHive0154 overview\r\nHive0154 is a well-established China-aligned threat actor with a large malware arsenal, consistent techniques and\r\nwell-documented activity over the past several years. The group consists of multiple subclusters and engages in\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 1 of 17\n\ncyberattacks targeting public and private organizations, including think tanks, policy groups, government agencies\r\nand individuals. X-Force's observation of the group's use of multiple custom malware loaders, backdoors and USB\r\nworm families showcases their advanced capabilities. Hive0154 activity overlaps with threat actors publicly\r\nreported as Mustang Panda, Stately Taurus, Camaro Dragon, Twill Typhoon, Polaris and Earth Preta.\r\nPrevious activity\r\nX-Force previously detailed extensive activity attributed to a subcluster of Hive0154 targeting the US, Philippines,\r\nPakistan and Taiwan in a suspected espionage campaign from late 2024 to early 2025. The group makes use of\r\nweaponized archives originating from spear phishing emails to target entities including the Philippines', the United\r\nStates' and Pakistan's government, military and diplomatic personnel. The phishing emails, archives and malicious\r\nfile names use references to various geopolitical topics tailored to their specific audience to elicit increased\r\ninterest from the recipients. The emails commonly include Google Drive URLs that download weaponized ZIP or\r\nRAR archives if the recipient clicks on the link.\r\nFig. 1: Example Hive0154 phishing email from a campaign in April 2025.\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 2 of 17\n\nThe archives contain a benign executable vulnerable to DLL sideloading and a malicious Claimloader DLL. The\r\nexecutables are typically renamed to trick victims into opening them, which would immediately trigger the\r\ninfection chain. The Claimloader malware establishes persistence, decrypts its embedded Pubload payload and\r\ninjects it into memory. Pubload further downloads Pubshell, a light-weight backdoor facilitating immediate access\r\nto the machine via a reverse shell. \r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 3 of 17\n\nFig. 2: Pubload infection chain\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 4 of 17\n\n9th World Parliamentarians' Convention on Tibet (WPCT)\r\nAt the time the campaign first began (May 21), the WPCT lure below was likely a reference to the upcoming\r\nconvention held in Tokyo, Japan, from June 2 to June 4.\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 5 of 17\n\nLure name\r\n Submitter \r\n country\r\n Claimloader DLL\r\nSHA256\r\n Date\r\n(WPCT)-\r\nICT\u0026CTA_Conference\r\n/(World_Parliamentarians’\r\n_Convention_on\r\n_Tibet(WPTC)_in\r\n_Japan_tokyo).June 2025.exe\r\n India\r\n2bd60685299c62ab\r\ne500fe80e9f03a627a1\r\n567059ce213d7c0cc76\r\n2fa32552d7\r\n 21   May \r\n 2025\r\nThe convention is usually held in the U.S. or Europe, and was hosted in Japan for the first time. Overall, 142\r\nparliamentarians and representatives from 29 countries were in attendance, including parliamentary members from\r\nBelgium and Japan. The Chinese embassy in Japan issued a strong denouncement over the Central Tibetan\r\nAdministration's, also known as the Tibetan government-in-exile, involvement in the convention. The convention\r\nresulted in the Tokyo Declaration, condemning Chinese government repression in the Tibet region, and calling for\r\ninternational legislation to safeguard Tibetan cultural and religious freedom. X-Force researchers uncovered the\r\nHive0154 campaign devising different lures pre- and post-convention.\r\nAfter the convention, several declarations were issued, including Wise Action Plans on Tibet. Hive0154 likely\r\ncopied it from the website and into a benign Microsoft Word document (DOCX) within a weaponized archive. The\r\narchive further contains articles directly copied from multiple Tibetan websites (here and here) in relation to the\r\nconvention, as well as authentic photos from the convention. The presence of legitimate articles and photos among\r\nthe weaponized executables sharing the same names is likely to trick victims into accidentally opening one of the\r\nEXE files and unknowingly triggering the infection.\r\n\"9th WPCT Region-Wise Action Plans on Tibet.exe\": \r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 6 of 17\n\nFig. 3: Screenshot of benign DOCX packaged into weaponized archive together with EXE's sharing the same\r\nfilename\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 7 of 17\n\n\"Tibet in Focus as Global Lawmakers Convene in Tokyo.exe\":\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 8 of 17\n\nFig. 4: Screenshot of benign DOCX packaged into weaponized archive together with EXE's sharing the same\r\nfilename (Source: Tibet.net)\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 9 of 17\n\nPhotos from the convention used as lure: \"9th WPCT Region-Wise Action Plans on Tibet(DSC01650.jpg).exe\"\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 10 of 17\n\nFig. 5: JPG image packaged into weaponized archive (Source: Tibet.net)\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 11 of 17\n\nFig. 6: Images from the convention packaged into weaponized archive together with malicious EXE and DLL\r\n(Source: Tibet.net)\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 12 of 17\n\nFurther activity targeting the Tibetan community and the U.S.\r\nIn another campaign, X-Force uncovered additional malicious Tibet-themed files. These files have names with\r\ntopics that are of interest to the Tibetan community, such as bilingual education in Tibet or the title of a recently\r\npublished book by the Dalai Lama. Choosing such topics was probably engineered to entice the recipients to be\r\nreceptive and click the file. It is notable that the Tibetan-related samples were submitted from India, where the\r\nTibetan government-in-exile currently operates, and this suggests that recipients of the files may have submitted\r\nthem to VirusTotal. In a parallel campaign, X-Force discovered a file likely targeting the U.S. Navy, potentially\r\ndiscussing ongoing working group meetings between the U.S. Navy and other parties.\r\nLure name\r\nSubmitter\r\ncountry\r\nClaimloader DLL\r\nSHA256\r\nDate\r\nDRC Mining, Strategic Minerals Development\r\nPolicy/April 17/DRC Mining, Strategic Minerals\r\nDevelopment Policy.exe\r\nUnited\r\nStates\r\nc80dfc678570bde7c\r\n19df21877a15cc7914d\r\n3ef7a3cef5f99fce26fcf\r\n696c444\r\n 17 \r\n April \r\n 2025\r\nསྐད་གཉིས་སློབ་གསོ་བསྒྱུར་བཅོས་སྙན་ཞུ/སྐད་གཉིས་སློབ་གསོ་\r\nབསྒྱུར་བཅོས་སྙན་ཞུ.exe\r\n(translated Tibetan: Bilingual Education Reform\r\nReport/Bilingual Education Reform Report.exe)\r\nIndia\r\n93f1fd31e197a58b03c\r\n6f5f774c1384ffd0351\r\n6ab1172d9b26ef5a4\r\na32831637\r\n 26 \r\n May \r\n 2025\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 13 of 17\n\nVoice for the Voiceless photos/Voice for the\r\nVoiceless photos.exe\r\nIndia\r\n3e7384c5e7c5764258\r\n947721c7729f221fb4\r\n7ef53d447a7af5db542\r\n6f1e7c13d\r\n 28 \r\n May \r\n 2025\r\n(USPACFLT) Working_Group_\r\nMeeting/DF for After Activity Report on the\r\nconduct of 4th PN-United States Pacific Fleet\r\n(USPACFLT) Working Group Meeting (WGM).exe\r\nUnited\r\nStates\r\n8cd4324e1e764aafba\r\n4ea0394a82943cefd7\r\ndeeee28a6cbd19f2ba6\r\n9de6a5766\r\n 9   June \r\n 2025\r\n\"སྐད་གཉིས་སློབ་གསོ་བསྒྱུར་བཅོས་སྙན་ཞུ/སྐད་གཉིས་སློབ་གསོ་བསྒྱུར་བཅོས་སྙན་ཞུ.exe\" (translated Tibetan: Bilingual Education\r\nReform Report/Bilingual Education Reform Report.exe): The topic is of high importance to the Tibetan\r\ncommunity and cultural assimilation in Tibet has been noted by Human Rights Watch in its report.\r\n\"Voice for the Voiceless photos/Voice for the Voiceless photos.exe\": This is a reference to a book published by the\r\nTibetan leader-in-exile, the Dalai Lama, in March 2025. He writes about his dialogue with Chinese leaders\r\nregarding the independence of Tibet.\r\n\"DRC Mining, Strategic Minerals Development Policy/April 17/DRC Mining, Strategic Minerals Development\r\nPolicy.exe\": This file may be a reference to the Democratic Republic of Congo (DRC) mining deal with the U.S.\r\nand efforts to gain its support for such a deal after observing Ukraine reaching a similar deal with the U.S. As of\r\nJune 2025, the DRC is about to finalize the deal with the U.S. in return for military and diplomatic assistance\r\nagainst M23 rebels who are being supported by neighboring Rwanda.\r\n\"(USPACFLT) Working_Group_Meeting/DF for After Activity Report on the conduct of 4th PN-United States\r\nPacific Fleet (USPACFLT) Working Group Meeting (WGM).exe\": This may be a reference to the U.S. Navy's\r\nPacific Fleet and its outreach activities to Pacific Rim countries. The fleet provides naval forces to the U.S. Indo-Pacific Command and may be called upon in the event of a conflict in Taiwan.\r\nTechnical details: Claimloader updates\r\nClaimloader is a family of loaders that have evolved significantly over the past years. They contain an encrypted\r\nshellcode payload, which is decrypted and injected at runtime. Our previous blog provides more technical details\r\non previous variants used by Hive0154.\r\nOn the first execution, Claimloader begins by creating a new mutex object to ensure only a single instance of\r\nClaimloader is running. It then moves itself and its processes' EXE used for DLL sideloading into a new directory\r\nunder a new name, such as:\r\nC:\\ProgramData\\AdobeLicensingPlugin\\WF_Adobe_licensing_helper.exe\r\nC:\\ProgramData\\AdobeLicensingPlugin\\libjyy.dll\r\nNext, Claimloader uses the API SHSetValueA() to establish persistence for the EXE via a registry key below:\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 14 of 17\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nThis will cause the EXE to be executed every time the current user logs onto the machine. The process is executed\r\nwith a predefined argument, such as \"Licensing\", which is used to invoke the main functionality of Claimloader.\r\nOn the second Claimloader execution with the specified argument, the latest Claimloader variant begins to decrypt\r\nan embedded payload via the TripleDES algorithm. This algorithm has only been observed in Claimloader\r\nvariants starting late April 2025. The updated variants also use XOR-encrypted API names and native APIs\r\nLdrLoadDll() and LdrGetProcedureAddress() to resolve imports dynamically.\r\nAfter sleeping for five seconds, Claimloader allocates a new executable buffer in memory and copies the\r\nshellcode payload into it. The malware sleeps for another 10 seconds and then calls the API's GetDC() and\r\nEnumFontsW(), which it uses to execute the payload in memory by passing its entry point as a callback function.\r\nPubload backdoor\r\nThe Pubload shellcode payload has not undergone any updates since our last reporting. It contains a simple self-decrypting routine before executing its main functionality. Pubload is a simple backdoor capable of downloading\r\nencrypted shellcode payloads, which are injected into memory. One of the first payloads is the Pubshell module,\r\nwhich implements a reverse shell to facilitate immediate access to the infected machine.\r\nConclusion\r\nHive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles.\r\nX-Force assesses with high confidence that China-aligned groups like Hive0154 will continue to refine their large\r\nmalware arsenal and target public and private organizations worldwide. Entities at risk of Hive0154 activity\r\nshould remain at a heightened state of defensive security and remain vigilant with regard to the techniques\r\nmentioned in this report.\r\nRecommendations\r\nExercise caution with emails containing a Google Drive download link\r\nExercise caution with downloaded archives, even if they do contain expected documents. Train staff to\r\ndisplay and recognize unexpected file extensions.\r\nMonitor and hunt in networks for TLS 1.2 Application Data packets (header: 17 03 03) without a previous\r\nTLS handshake as a sign of a Pubload or Toneshell beacon\r\nMonitor and hunt for USB drives containing suspicious executable names, DLLs and hidden directories\r\nwhich could indicate a device infected with a USB worm\r\nMonitor and hunt for suspicious and unknown directories in C:\\ProgramData\\* which contain a legitimate\r\nEXE vulnerable to DLL sideloading and a corresponding DLL\r\nMonitor and hunt for persistence techniques in the registry and scheduled tasks\r\nMonitor any unusual network, persistence or file modification activity coming from seemingly benign\r\nprocess executables that sideload a malicious DLL\r\nIndicators of compromise\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 15 of 17\n\nIndicator Indicator Type Context\r\n2bd60685299c62abe500fe80e\r\n9f03a627a1567059ce213d7c0cc\r\n762fa32552d7\r\nSHA256 Claimloader DLL\r\nc80dfc678570bde7c19df21877a1\r\n5cc7914d3ef7a3cef5f99fce26fcf6\r\n96c444\r\nSHA256 Claimloader DLL\r\n93f1fd31e197a58b03c6f5f774c138\r\n4ffd03516ab1172d9b26ef5a4a328\r\n31637\r\nSHA256 Claimloader DLL\r\n3e7384c5e7c5764258947721c77\r\n29f221fb47ef53d447a7af5db5426f\r\n1e7c13d\r\nSHA256 Claimloader DLL\r\n8cd4324e1e764aafba4ea0394a8\r\n2943cefd7deeee28a6cbd19f2ba6\r\n9de6a5766\r\nSHA256 Claimloader DLL\r\n7979686bf73c2988ab5d57f9605\r\ndcef2231ca87580f6ecedc75b2cbe\r\n81669ba0\r\nSHA256 Weaponized archive\r\nea991719885b2fe91502218ff3be1\r\n2c9f990a24c7e007e4ffb5a5c5c52\r\nb3a0b5\r\nSHA256 Weaponized archive\r\n6e408aada775eaf19c524792344c\r\nabca0b406247154e2b03ed03a92\r\n9e0feee5a\r\nSHA256 Weaponized archive\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 16 of 17\n\n57770ede7015734e2d881430423b\r\ncc76c160b90448f5e67334e56b9747\r\nff874c\r\nSHA256 Weaponized archive\r\nfb33f222b3d4d5edc9b743e6428\r\n2de561ef51e42db150dd8086203c5\r\n3b25ff79\r\nSHA256 Weaponized archive\r\n218.255.96[.]245:443 IPv4 Pubload C2 server\r\nIBM X-Force Premier Threat Intelligence is now integrated with OpenCTI by Filigran, delivering actionable\r\nthreat intelligence about this threat activity and more. Access insights on threat actors, malware, and industry\r\nrisks. Install the X-Force OpenCTI Connector to enhance detection and response, strengthening your\r\ncybersecurity with IBM X-Force’s expertise. Get a 30-Day X-Force Premier Threat Intelligence trial today!\r\nSource: https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nhttps://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor\r\nPage 17 of 17\n\ninterest from RAR archives the recipients. if the recipient The emails clicks on commonly the link. include Google Drive URLs that download weaponized ZIP or\nFig. 1: Example Hive0154 phishing email from a campaign in April 2025.\n Page 2 of 17 \n\n(USPACFLT) Meeting/DF Working_Group_ for After Activity Report on the United 8cd4324e1e764aafba 4ea0394a82943cefd7 9 June\nconduct of 4th PN-United States Pacific Fleet States deeee28a6cbd19f2ba6 2025\n(USPACFLT) Working Group Meeting (WGM).exe 9de6a5766 \n\"སྐ ད་གཉི ས་སློ བ་གསོ ་བསྒྱུ ར་བཅོ ས་སྙ ན་ཞུ /སྐ ད་གཉི ས་སློ བ་གསོ ་བསྒྱུ ར་བཅོ ས་སྙ ན་ཞུ .exe\" (translated Tibetan: Bilingual Education\nReform Report/Bilingual Education Reform Report.exe): The topic is of high importance to the Tibetan\ncommunity and cultural assimilation in Tibet has been noted by Human Rights Watch in its report. \n\"Voice for the Voiceless photos/Voice for the Voiceless photos.exe\": This is a reference to a book published by the\nTibetan leader-in-exile, the Dalai Lama, in March 2025. He writes about his dialogue with Chinese leaders\nregarding the independence of Tibet. \n\"DRC Mining, Strategic Minerals Development Policy/April 17/DRC Mining, Strategic Minerals Development\nPolicy.exe\": This file may be a reference to the Democratic Republic of Congo (DRC) mining deal with the U.S.\nand efforts to gain its support for such a deal after observing Ukraine reaching a similar deal with the U.S. As of\nJune 2025, the DRC is about to finalize the deal with the U.S. in return for military and diplomatic assistance\nagainst M23 rebels who are being supported by neighboring Rwanda. \n\"(USPACFLT) Working_Group_Meeting/DF for After Activity Report on the conduct of 4th PN-United States\nPacific Fleet (USPACFLT) Working Group Meeting (WGM).exe\": This may be a reference to the U.S. Navy's\nPacific Fleet and its outreach activities to Pacific Rim countries. The fleet provides naval forces to the U.S. Indo\u0002\nPacific Command and may be called upon in the event of a conflict in Taiwan. \nTechnical details: Claimloader updates \nClaimloader is a family of loaders that have evolved significantly over the past years. They contain an encrypted\nshellcode payload, which is decrypted and injected at runtime. Our previous blog provides more technical details\non previous variants used by Hive0154. \nOn the first execution, Claimloader begins by creating a new mutex object to ensure only a single instance of\nClaimloader is running. It then moves itself and its processes' EXE used for DLL sideloading into a new directory\nunder a new name, such as: \nC:\\ProgramData\\AdobeLicensingPlugin\\WF_Adobe_licensing_helper.exe \nC:\\ProgramData\\AdobeLicensingPlugin\\libjyy.dll \nNext, Claimloader uses the API SHSetValueA() to establish persistence for the EXE via a registry key below:\n Page 14 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor" ], "report_names": [ "hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434044, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5163fedaa03cd59f8742afac4a95c27cdf9fd9c.pdf", "text": "https://archive.orkl.eu/b5163fedaa03cd59f8742afac4a95c27cdf9fd9c.txt", "img": "https://archive.orkl.eu/b5163fedaa03cd59f8742afac4a95c27cdf9fd9c.jpg" } }