{
	"id": "d1c4599e-a2a2-4497-ae5d-de95497f17d6",
	"created_at": "2026-04-06T00:14:53.474112Z",
	"updated_at": "2026-04-10T03:37:54.494415Z",
	"deleted_at": null,
	"sha1_hash": "b55babb796170e1de2a490eaf16e99f4a8ea594f",
	"title": "MS Exchange Tool (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30796,
	"plain_text": "MS Exchange Tool (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:57:24 UTC\r\nMS Exchange Tool\r\nActor(s): Mirage\r\nThere is no description at this point.\r\nReferences\r\nYara Rules\r\n[TLP:WHITE] win_exchange_tool_w0 (20180312 | Detects malware from APT 15 report by NCC\r\nGroup)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool"
	],
	"report_names": [
		"win.exchange_tool"
	],
	"threat_actors": [
		{
			"id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c",
			"created_at": "2022-10-25T16:07:23.750796Z",
			"updated_at": "2026-04-10T02:00:04.736762Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"APT 15",
				"BackdoorDiplomacy",
				"Bronze Davenport",
				"Bronze Idlewood",
				"Bronze Palace",
				"CTG-9246",
				"G0004",
				"G0135",
				"GREF",
				"Ke3chang",
				"Metushy",
				"Nylon Typhoon",
				"Operation Ke3chang",
				"Operation MirageFox",
				"Playful Dragon",
				"Playful Taurus",
				"PurpleHaze",
				"Red Vulture",
				"Royal APT",
				"Social Network Team",
				"Vixen Panda"
			],
			"source_name": "ETDA:Ke3chang",
			"tools": [
				"Agentemis",
				"Anserin",
				"BS2005",
				"BleDoor",
				"CarbonSteal",
				"Cobalt Strike",
				"CobaltStrike",
				"DarthPusher",
				"DoubleAgent",
				"EternalBlue",
				"GoldenEagle",
				"Graphican",
				"HenBox",
				"HighNoon",
				"IRAFAU",
				"Ketrican",
				"Ketrum",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MS Exchange Tool",
				"Mebroot",
				"Mimikatz",
				"MirageFox",
				"NBTscan",
				"Okrum",
				"PluginPhantom",
				"PortQry",
				"ProcDump",
				"PsList",
				"Quarian",
				"RbDoor",
				"RibDoor",
				"Royal DNS",
				"RoyalCli",
				"RoyalDNS",
				"SAMRID",
				"SMBTouch",
				"SilkBean",
				"Sinowal",
				"SpyWaller",
				"Theola",
				"TidePool",
				"Torpig",
				"Turian",
				"Winnti",
				"XSLCmd",
				"cobeacon",
				"nbtscan",
				"netcat",
				"spwebmember"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434493,
	"ts_updated_at": 1775792274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b55babb796170e1de2a490eaf16e99f4a8ea594f.pdf",
		"text": "https://archive.orkl.eu/b55babb796170e1de2a490eaf16e99f4a8ea594f.txt",
		"img": "https://archive.orkl.eu/b55babb796170e1de2a490eaf16e99f4a8ea594f.jpg"
	}
}