{ "id": "b575ef47-ba8e-4a24-9bfa-fb322c55416d", "created_at": "2026-04-06T00:09:08.936734Z", "updated_at": "2026-04-10T13:12:06.200582Z", "deleted_at": null, "sha1_hash": "b5d6a1ba53684b23b7e2392529bf245df3e4e306", "title": "(C)0ld Case : From Aerospace to China’s interests.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10058863, "plain_text": "(C)0ld Case : From Aerospace to China’s interests.\r\nPublished: 2018-11-16 · Archived: 2026-04-05 14:28:46 UTC\r\nVia the events collected mostly from passive DNS records, I’ll highlight that threat actor(s)/ group(s) were using\r\nsince 2010 a “DNS highjacking” tactic which is here observed as replacing victim’s zone authoritative name\r\nservers, by their controlled one, for small period of time. This could result in interception, espionage or sabotage\r\nby these means. The victims profiles found, strongly align with China’s interests. Various areas of activity are\r\nconcerned, from Fortune 100 to cultual or religious organizations :\r\nFrance: Safran, Snecma (now Safran Aircraft Engines)\r\nKorea: Microsoft, Adobe, Honeywell, Nintendo, Logic Korea (Video game), KFTC (Financial payment\r\nservice), Minghui (Falun Gong organization), Shinchonji (Evangelists)\r\nAustralia: Australian Postal Corporation, Guangming (Falun Gong organization)\r\nUnited States : Makerbot (3D Printing company).\r\nUS DOJ \u0026 Aerospace\r\nReferring to the indictment by the U.S. Department of Justice (DOJ) of ten Chinese intelligence officers for\r\nespionage  (2018-10-10), cf:\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 1 of 28\n\nAnd according to this indictment :”Beginning in at least December 2013 and continuing until his\r\narrest, Xu targeted certain companies inside and outside the United States that are recognized as\r\nleaders in the aviation field. “\r\nNB: You can read this link too, that summarize also well these recent events.\r\nI decided to look what I can find on a (c)old case “linked” to this indictment. My starting point was this\r\nCrowdStrike article from February the 25th, 2014 :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 2 of 28\n\nThe events (publish and/or occurring were around the same period too..) i.e at the end of the 2013 year and\r\nbeginning of 2014 :\r\nFrench Aerospace          VFW                         CrowdStrike Article\r\n2014-01-11                        2014-02-11              2014-02-25\r\nWe know that Safran, Snecma (a Safran subsidiary) and the French aerospace industries association : the\r\n“Groupement des industries françaises aéronautiques et spatiales” (GIFAS) were concerned.\r\nI decided to start from what we know, and lookup into Passive DNS data, mostly.\r\nsecure[.]safran-group[.]com\r\nFirst thing was that Safran let one of his RR pointing for more than two months to a malicious IP. (?!)  The\r\ntwo other domains were a contrario malicious domains, crafted for, and not directly related to the victims.\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 3 of 28\n\n(Source DNSDB)\r\nSafran Name Server\r\nFrom the CrowdStrike article :\r\nOf particular interest was secure[.]safran-group[.]com. Safran is a France-based aerospace and\r\ndefense company with a focus on the design and production of aircraft engines and equipment. The\r\ncompany owns the safran-group[.]com domain, and the fact that one of its subdomains was pointed at a\r\nmalicious IP address suggests that the adversary compromised Safran’s DNS.\r\nThe second point is bold text above : “(…)the adversary compromised Safran’s DNS.” I didn’t find something\r\nthus that could help to understand how it was accomplished. By searching the Internet I found a UC San Diego\r\nthesis with title : “Investigating DNS Hijacking Through High Frequency Measurements” which seems well\r\ninformed on the incidents :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 4 of 28\n\nSnecma Name Server\r\nWhat we can read in CrowdStrike article, is that a number of domains were added to the “host’s” file of victim\r\nmachines, but :\r\n“the purpose of this component is unclear. It does not map these domains to malicious IP addresses\r\nbecause the 217.108.170.0/24 range belongs to the company”\r\nBy looking at the snecma.fr Name Servers I found some weird ones at the moment : ns1.acfine.net and\r\nns2.acfine.net\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 5 of 28\n\nTime first seen was the 20th of November 2013  : Did the attack occur first ? Idem from 2 days in August 2013.no\r\nid\r\nIf we look at the domains now that were using these Name Servers, we see interesting points :\r\nWhat is interesting here with these domains/sites is the mix of targets profiles and China’s Interests  :\r\nsnecma.fr was previously indicated and was China’s interest without any doubt at that time. We have\r\ncovered briefly this above.\r\nguangming.org seems to be a “Falun Gong” information website, this is of the utter interest in China’s\r\npolicy. We can see multiple references to this “organization”, and China see it as a cult (see this official\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 6 of 28\n\nChinese governmental link e.g). NB: The website may be related to their practice in Australia.\r\nauspost.com.au\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 7 of 28\n\nThis is the website of Australian Postal Corporation. Maybe linked to the previous Falun Gong possible\r\nsupposed targets ?\r\nmakerbot.com is a 3D Printing company, based in New York.\r\nCould this be another objective from attackers, or another group inside a team ? APT could be composed of\r\nseveral groups/teams, with different goals, and sometime using the same architecture or sharing the same TTPs.\r\nSome open line of investigation on this… but I found on the website that a Lockheed Martin’s Senior Research\r\nEngineer was using their product since 2014 : It could be interesting for attackers to target this company to\r\ncorrelate different data.\r\nex: Lockhed Martin Blueprints + robotic mechanisms \u0026 Engineering\r\nAs correlating two different databases could reveal useful information,\r\nex: Office of Personnel Management (OPM) wich handle SF-86 form to obtain a security clearance + Anthem\r\n(Health Insurance) permitted to find the CIA agents by doing a diff between the data…\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 8 of 28\n\nLinkedin profile :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 9 of 28\n\nAirbus \u0026 Microsoft Korea\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 10 of 28\n\nSample (0237f92714f28d755025fa6ba0f4759c7797edd73c4ccbd544495941ae0e0bcd) contacting the Microsoft\r\ndomain :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 11 of 28\n\nNB: The compilation timestamp 2012-11-21 07:17:31 from the above sample is consistent with the DNSDB\r\ntimestamps too, see below : 2012-11-11 to 2012-11-22\r\nHere are the contacted URLs : (Source VT)\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 12 of 28\n\nA victim contacted a Microsoft domain ? A legit one ? I did a little research and yes microsoft.co.kr redirect now\r\nto microsoft.com/korea for its corporate’s website.\r\nI did a search on Farsight DNSDB passive DNS records and looked at all records for this domain :\r\nmicrosoft.co.kr .\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 13 of 28\n\nSame as previously, for a few time period in 2010 : 1 day, and more than 11 days in 2012, Microsoft Korean Name\r\nServers were directed to what I immediately found suspect, resp. ns21.dollar2host.com / ns22.dollar2host.com\r\nand ns0.nscomdomain.com / ns1.nscomdomain.com.\r\nNB: ns2.msft.net (an ns3, and 4..) were not suspect because legit Microsoft domain, but NOT the others…\r\nMicrosoft in Korea was pwned 2 times, in 2010 and 2012 and as far as I know I didn’t see these information\r\nwell documented.\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 14 of 28\n\nWhat could possibly go wrong ?\r\nSame tactic ? DNS highjacking, Let’s see…\r\nns21.dollar2host.com / ns22.dollar2host.com (NS)\r\nWhat domains were using these Name Servers ? First of all there are a LOT of domains.. crappy or legitimate\r\nones. While trying to look around the time of usage for my microsoft.co.kr domain, I found several others\r\ncorporate domains :\r\nmicrosoftstore.co.kr\r\nadobe.co.kr\r\nnintendo.co.kr\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 15 of 28\n\nEx for Nintendo today’s website for nintendo.co.kr domain :\r\nI discovered while sweeping through the pages and pages (…) of domains other financial \u0026 banking domains but\r\nI suppose they answer to another objective because the time they were using the NS is longer : Few months and\r\nnot hours/minutes and didn’t check if domains were legit at the time of if they were mimicking their target’s name.\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 16 of 28\n\nNB: chryslerfinancialinfoservice.com from 2010-08-23 to 2010-11-28 not represented above.\r\nThis could be what I call a batch process used by threat actor, look at the exact same timing. In these groups, they\r\nneed to “stick to the rules” to protect (Compartmentalization) the information for security, and their registration\r\nprocess may reveal batch operations.\r\n2018-11-24 Update : Continuing on ns21. I saw that microsoft.kr was usign briefly this NS in 2010 too :\r\nI found also ns1.dqtec.com (and ns2.dqtec.com) who where using too this NS in 2010, e.g with ns1.dqtec.com\r\nbelow:\r\nWhat was the IP resolution of these records ?\r\nns1.dqtec.com  ==\u003e 67.212.186.170\r\nns2.dqtec.com ==\u003e 67.212.186.171\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 17 of 28\n\ncf:\r\nand :\r\nNow What?\r\nEcuador\r\nIf these IPs used for bad things at the moment (no idea..), some other records may have been pointed to.. Again\r\npivoting :\r\nSource: DNSDB\r\nI have no idea if these records were legit at this time. First thing first, referring to Wikipedia, .gob.ec was replaced\r\nby .gov.ec :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 18 of 28\n\nFor the domains :\r\nhanm.gob.ec was “el Hospital Provincial Alfredo Noboa Montenegro”.\r\ncnecarchi.gob.ec was la “Delegación Electoral del Carchi”, depending from Ecuador National Electoral\r\nCouncil for “la delgacion de” (translate to approx. “district of”…)  Carchi, website at the moment (2012-\r\n05-25) :\r\nNowadays the website :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 19 of 28\n\nsevfae.mil.ec : We can interpret the function as globally : Ecuador’s Air Force virtual education system. It’s\r\na Military website and domain.\r\nAt the moment website was :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 20 of 28\n\nNowadays :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 21 of 28\n\nAGA is “Academia de Guerra Aérea FAE” which translate to Ecuador’s Air Force war academy. This is also\r\n“similar” with the last domain below :\r\nacademiadeguerraaerea.mil.ec \r\nIllustration nowadays (not same domain..) :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 22 of 28\n\nns0.nscomdomain.com / ns1.nscomdomain.com (NS)\r\nSame process. What domains were using these Name Servers ?\r\nHere when I search for ns0, there’s less domains, in fact, only 6, including our microsoft.co.kr. All information\r\nwas from 2012 :\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 23 of 28\n\nExamining these domains I was really surprised to find that minghui.or.kr was linked to “Faloun Gong” too !\r\nDo you remember at the beginning of this blog post “guangming.org” ? That could reveal the same kind of\r\ninterest by this/these actor(s).\r\nshinchonji.kr is another religious/cult (Evangelists as far as I understand) organization that may represent\r\nan interest too for China’s monitoring policy.\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 24 of 28\n\nlogickorea.co.kr A Korean Company, in the Video Games business.  I immediately think about the APT\r\nthat targeted Video games industry (Winnti) . As Kaspersky noted noted in its report “Winnti. More than\r\njust a game”, South Korean video games vendors were targeted :\r\nInterestingly, the digital signature belonged to another video game vendor – a private company known\r\nas KOG, based in South Korea.\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 25 of 28\n\nkftc.or.kr is a Korean financial payment service company with a lot of service today : Cash Dispenser\r\n(CD) Network,  Interbank Fund Transfer(IFT), HOFINET, and The Korea Cash (K-CASH) Network\r\nconnects KFTC, all banks in Korea and a system service provider (SP) for payment settlements using an\r\nelectronic currency. The K-CASH would be a target for any Intelligence service on earth, including the\r\nMinistry of State Security (MSS / Guoanbu). Do you remember the NSA compromised the SWIFT\r\nNetwork revealed in 2017 ?\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 26 of 28\n\nhoneywell.co.kr\r\nI know that one 🙂 Honeywell, not because I’m a ICS/SCADA guy but because Shodan ! 😉 Anyway, this\r\nHoneywell Korean website was in the list too… NB: honeywell.co.kr website redirect to\r\nhttp://www.honeywell.com/worldwide/ko-kr\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 27 of 28\n\nConclusion\r\nStarting from public indicators and passive DNS data, and by looking at the domains, their zone authoritative\r\nname servers, and the other domains using the latters (pivoting) we discovered victims.\r\nThe volume and diversity of domains names suggest that it is likely that multiple threat actors were involved.\r\nThis is also likely that China’s interests are in line with these operations, especially because of the\r\ncultual/religious aspect, which was of utter interest from China at the time of these events. NB: The same kind of\r\ninterest is e.g from NetTraveler which specifically targets Tibetan/Uyghur activists.\r\nActors could use a service like a “DNS highjacking” tactic broker (as Elderwood project was in comparison an\r\nAPT 0-day-broker), or they are likely to used a shared process for this tactic.\r\nBy understanding actor’s tradecraft, we also shine some light on China’s policy, supposed Intelligence services\r\n(MSS/Guoanbu), and business needs since 2010 from APT actors (sometime named Turbine Panda / BlackVine \u0026\r\nWinnti) where one of the central and common capacity is the Sakula malware.\r\nSource: https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nhttps://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/\r\nPage 28 of 28\n\n https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/ \nkftc.or.kr is a Korean financial payment service company with a lot of service today : Cash Dispenser\n(CD) Network, Interbank Fund Transfer(IFT), HOFINET, and The Korea Cash (K-CASH) Network\nconnects KFTC, all banks in Korea and a system service provider (SP) for payment settlements using an\nelectronic currency. The K-CASH would be a target for any Intelligence service on earth, including the\nMinistry of State Security (MSS / Guoanbu). Do you remember the NSA compromised the SWIFT\nNetwork revealed in 2017 ? \n Page 26 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/" ], "report_names": [ "c0ld-case-from-aerospace-to-chinas-interests" ], "threat_actors": [ { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "a080173e-7141-4d46-831d-a5f15ebef31a", "created_at": "2023-01-06T13:46:38.629955Z", "updated_at": "2026-04-10T02:00:03.044597Z", "deleted_at": null, "main_name": "APT26", "aliases": [ "JerseyMikes", "TURBINE PANDA", "BRONZE EXPRESS", "TECHNETIUM", "Taffeta Typhoon" ], "source_name": "MISPGALAXY:APT26", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a339e456-3f5a-40e9-b293-233281105e85", "created_at": "2022-10-25T15:50:23.260847Z", "updated_at": "2026-04-10T02:00:05.248583Z", "deleted_at": null, "main_name": "Elderwood", "aliases": [ "Elderwood", "Elderwood Gang", "Beijing Group", "Sneaky Panda" ], "source_name": "MITRE:Elderwood", "tools": [ "PoisonIvy", "Naid", "Briba", "Hydraq", "Linfo", "Nerex", "Vasport", "Wiarp", "Pasam" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "57d2c58d-0445-441f-b94f-99d217b9e3c4", "created_at": "2023-01-06T13:46:38.327743Z", "updated_at": "2026-04-10T02:00:02.930027Z", "deleted_at": null, "main_name": "Beijing Group", "aliases": [ "Elderwood", "Elderwood Gang", "SIG22", "G0066", "SNEAKY PANDA" ], "source_name": "MISPGALAXY:Beijing Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434148, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5d6a1ba53684b23b7e2392529bf245df3e4e306.pdf", "text": "https://archive.orkl.eu/b5d6a1ba53684b23b7e2392529bf245df3e4e306.txt", "img": "https://archive.orkl.eu/b5d6a1ba53684b23b7e2392529bf245df3e4e306.jpg" } }