{ "id": "8c389349-bd0d-49ae-aefb-9d7d1c4588ee", "created_at": "2026-04-06T00:20:19.37013Z", "updated_at": "2026-04-10T03:37:58.724093Z", "deleted_at": null, "sha1_hash": "b73f7bea7b5c24090ad3b53eab5c8dc280c7a693", "title": "PlugX (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 454264, "plain_text": "PlugX (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:25:30 UTC\r\nRSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a\r\nbackdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute\r\nseveral kinds of commands on the affected system.\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\nThe malware also logs its events in a text log file.\r\n2026-02-26 ⋅ Lab52 ⋅\r\nPlugX Meeting Invitation via MSBuild and GDATA\r\nPlugX 2025-10-30 ⋅ Arctic Wolf ⋅ Arctic Wolf Labs Team\r\nUNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian\r\nDiplomatic Entities\r\nPlugX 2025-08-25 ⋅ Google ⋅ Google Threat Intelligence Group\r\nDeception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats\r\nPlugX UNC6384 2025-03-14 ⋅ bluecyber ⋅ Ngo Thanh Van\r\nPlugX: Bad guy disguises as an msi file\r\nPlugX 2025-02-20 ⋅ Orange Cyberdefense ⋅ Alexis Bonnefoi, Marine PICHON\r\nMeet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors\r\nNailaoLocker PlugX ShadowPad 2025-02-20 ⋅ Trend Micro ⋅ Daniel Lunghi\r\nUpdated Shadowpad Malware Leads to Ransomware Deployment\r\nEvilExtractor NailaoLocker PlugX ShadowPad 2025-02-20 ⋅ Trend Micro ⋅ Daniel Lunghi\r\nUpdated Shadowpad Malware Leads to Ransomware Deployment\r\nEvilExtractor PlugX ShadowPad Teleboyi 2025-02-18 ⋅ Orange Cyberdefense ⋅ Alexis Bonnefoi, Marine PICHON\r\nIOCs Green Nailao campaign (NailaoLocker, ShadowPad)\r\nNailaoLocker PlugX ShadowPad 2025-02-13 ⋅ Symantec ⋅ Threat Hunter Team\r\nChina-linked Espionage Tools Used in Ransomware Attacks\r\nPlugX 2025-01-29 ⋅ Palo Alto Networks Unit 42 ⋅ Lior Rochberger, Yoav Zemah\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 1 of 12\n\nCL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia\r\nCobalt Strike MimiKatz PlugX ValleyRAT Winos CL-STA-0048 2025-01-14 ⋅ Department of Justice ⋅ Office of Public\r\nAffairs\r\nJustice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers\r\nPlugX 2025-01-09 ⋅ Recorded Future ⋅ Insikt Group\r\nChinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection\r\nChain\r\nPlugX 2024-10-10 ⋅ Hunt.io ⋅ Hunt.io\r\nUnmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity\r\nCobalt Strike PlugX 2024-09-24 ⋅ Virus Bulletin ⋅ Aragorn Tseng, Chi-Yu You, Cristiana Brafman Kittner, Steve Su\r\nDown the GRAYRABBIT HOle - Exposing UNC3569 and its Modus Operandi\r\nKEYPLUG Cobalt Strike CROSSWALK GRAYRABBIT HelloBot HUI Loader PlugX SiestaGraph 2024-09-10 ⋅\r\nTalos Intelligence ⋅ Joey Chen\r\nDragonRank, a Chinese-speaking SEO manipulator service provider\r\nIISpy PlugX DragonRank 2024-08-23 ⋅ TEAMT5 ⋅ Still Hsu\r\nSailing the Seven SEAs: Deep Dive into Polaris' Arsenal and Intelligence Insights\r\nCobalt Strike Hodur PlugX TONESHELL 2024-06-03 ⋅ SYGNIA ⋅ Sygnia Team\r\nChina-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence\r\nPlugX 2024-05-23 ⋅ Palo Alto Networks Unit 42 ⋅ Daniel Frank, Lior Rochberger\r\nOperation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target\r\nGovernmental Entities in the Middle East, Africa and Asia\r\nAgent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter TunnelSpecter\r\nCL-STA-0043 2024-04-27 ⋅ Google ⋅ Rommel-J\r\nFinding Malware: Detecting SOGU with Google Security Operations.\r\nPlugX 2024-04-19 ⋅ ⋅ Spiegel Online ⋅ Christoph Giesen, Hakan Tanriverdi, Simon Hage\r\nVW-Konzern wurde jahrelang ausspioniert – von China?\r\nCHINACHOPPER PlugX 2024-03-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Joseph C Chen\r\nEarth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks\r\nDinodasRAT PlugX Reshell ShadowPad Earth Krahang 2024-02-21 ⋅ YouTube (SentinelOne) ⋅ Kris McConkey\r\nLABSCon23 Replay | Chasing Shadows | The rise of a prolific espionage actor\r\n9002 RAT PlugX ShadowPad Spyder Earth Lusca 2024-01-25 ⋅ JSAC 2024 ⋅ Yi-Chin Chuang, Yu-Tung Chang\r\nUnveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide\r\nPlugX 2024-01-25 ⋅ JSAC 2024 ⋅ Hara Hiroaki, Kawakami Ryonosuke, Shota Nakajima\r\nThe Secret Life of RATs: connecting the dots by dissecting multiple backdoors\r\nDracuLoader GroundPeony HemiGate PlugX 2024-01-23 ⋅ CSIRT-CTI ⋅ CSIRT-CTI\r\nStately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks\r\nPlugX PUBLOAD TONESHELL 2024-01-21 ⋅ Mahmoud Zohdy Blog ⋅ Mahmoud Zohdy\r\nA Look into PlugX Kernel driver\r\nPlugX 2024-01-09 ⋅ Recorded Future ⋅ Insikt Group\r\n2023 Adversary Infrastructure Report\r\nAsyncRAT Cobalt Strike Emotet PlugX ShadowPad 2023-12-06 ⋅ splunk ⋅ Splunk Threat Research Team\r\nUnmasking the Enigma: A Historical Dive into the World of PlugX Malware\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 2 of 12\n\nPlugX 2023-12-06 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nCinnamon Tempest\r\nCobalt Strike HUI Loader PlugX Sliver BRONZE STARLIGHT 2023-09-08 ⋅ PolySwarm Tech Team ⋅ The Hivemind\r\nCarderbee Targets Hong Kong in Supply Chain Attack\r\nPlugX Carderbee 2023-09-07 ⋅ Sekoia ⋅ Jamila B.\r\nMy Tea’s not cold. An overview of China’s cyber threat\r\nMelofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL Dalbit MirrorFace 2023-08-22 ⋅\r\nSymantec ⋅ Threat Hunter Team\r\nCarderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong\r\nPlugX Carderbee 2023-08-07 ⋅ Recorded Future ⋅ Insikt Group\r\nRedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale\r\nWinnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca 2023-07-11 ⋅ Mandiant ⋅ Ng\r\nChoon Kiat, Rommel Joven\r\nThe Spies Who Loved You: Infected USB Drives to Steal Secrets\r\nPlugX 2023-05-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nLancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors\r\nMerdoor PlugX ShadowPad ZXShell Lancefly 2023-05-03 ⋅ Lab52 ⋅ Lab52\r\nNew Mustang Panda’s campaing against Australia\r\nPlugX 2023-04-23 ⋅ ESET Research ⋅ Alexandre Côté Cyr, Matthieu Faou\r\nTA410: APT10’s distant cousin\r\nFlowCloud Lookback PlugX Quasar RAT Tendyron Witchetty 2023-04-18 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2023\r\nQUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive\r\nINDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC\r\nWhisperGate 2023-03-30 ⋅ Recorded Future ⋅ Insikt Group\r\nWith KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets\r\nKEYPLUG Cobalt Strike PlugX RedGolf 2023-03-09 ⋅ ASEC ⋅ Sanseo\r\nPlugX Malware Being Distributed via Vulnerability Exploitation\r\nPlugX 2023-03-09 ⋅ Sophos ⋅ Gabor Szappanos\r\nA border-hopping PlugX USB worm takes its act on the road\r\nPlugX 2023-02-24 ⋅ Trend Micro ⋅ Buddy Tancio, Catherine Loveria, Jed Valderama\r\nInvestigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool\r\nPlugX 2023-02-02 ⋅ EclecticIQ ⋅ EclecticIQ Threat Research Team\r\nMustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware\r\nPlugX 2023-01-26 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison\r\nChinese PlugX Malware Hidden in Your USB Devices?\r\nPlugX 2023-01-26 ⋅ TEAMT5 ⋅ Still Hsu\r\nBrief History of MustangPanda and its PlugX Evolution\r\nPlugX MUSTANG PANDA 2023-01-09 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien\r\n[QuickNote] Another nice PlugX sample\r\nPlugX 2022-12-27 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien\r\nDiving into a PlugX sample of Mustang Panda group\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 3 of 12\n\nPlugX 2022-12-06 ⋅ Blackberry ⋅ BlackBerry Research \u0026 Intelligence Team\r\nMustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets\r\nPlugX 2022-12-02 ⋅ Avast Decoded ⋅ Threat Intelligence Team\r\nHitching a ride with Mustang Panda\r\nPlugX 2022-11-30 ⋅ ⋅ FFRI Security ⋅ Matsumoto\r\nEvolution of the PlugX loader\r\nPlugX Poison Ivy 2022-10-06 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nMustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims\r\nPlugX 2022-09-26 ⋅ Palo Alto Networks Unit 42 ⋅ Daniela Shalev, Itay Gamliel\r\nHunting for Unsigned DLLs to Find APTs\r\nPlugX Raspberry Robin Roshtyak 2022-09-14 ⋅ Security Joes ⋅ Felipe Duarte\r\nDissecting PlugX to Extract Its Crown Jewels\r\nPlugX 2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team\r\nNew Wave of Espionage Activity Targets Asian Governments\r\nMimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT 2022-09-09 ⋅ Github (m4now4r) ⋅ m4n0w4r\r\n“Mustang Panda” – Enemy at the gate\r\nPlugX 2022-09-08 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Kotaro Ogino, Yuki Shibuya\r\nThreat Analysis Report: PlugX RAT Loader Evolution\r\nPlugX 2022-09-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nBRONZE PRESIDENT Targets Government Officials\r\nPlugX 2022-07-18 ⋅ YouTube (Security Joes) ⋅ Felipe Duarte\r\nPlugX DLL Side-Loading Technique\r\nPlugX 2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nShallow Taurus\r\nFormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK 2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem\r\nSnegirev, Kirill Kruglov\r\nAttacks on industrial control systems using ShadowPad\r\nCobalt Strike PlugX ShadowPad 2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nBRONZE STARLIGHT Ransomware Operations Use HUI Loader\r\nATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster\r\nBRONZE STARLIGHT 2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nOperation Earth Berberoka\r\nreptile oRAT Ghost RAT PlugX pupy Earth Berberoka 2022-05-20 ⋅ VinCSS ⋅ Dang Dinh Phuong, m4n0w4r, Tran Trung\r\nKien\r\n[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations\r\nin Vietnam\r\nPlugX 2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies\r\nSpace Pirates: analyzing the tools and connections of a new hacker group\r\nFormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax 2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga\r\nAnalysis of HUI Loader\r\nHUI Loader PlugX Poison Ivy Quasar RAT 2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh\r\nThe Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 4 of 12\n\n(slides)\r\nKEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu 2022-05-05 ⋅\r\nCisco Talos ⋅ Aliza Berk, Asheer Malhotra, Jung soo An, Justin Thattil, Kendall McKay\r\nMustang Panda deploys a new wave of malware targeting Europe\r\nCobalt Strike Meterpreter PlugX PUBLOAD 2022-05-02 ⋅ Sentinel LABS ⋅ Amitai Ben Shushan Ehrlich, Joey Chen\r\nMoshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad\r\nPlugX ShadowPad Moshen Dragon 2022-04-28 ⋅ PWC ⋅ PWC UK\r\nCyber Threats 2021: A Year in Retrospect (Annex)\r\nCobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen 2022-04-28 ⋅ DARKReading ⋅ Jai Vijayan\r\nChinese APT Bronze President Mounts Spy Campaign on Russian Military\r\nPlugX MUSTANG PANDA 2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nOperation Gambling Puppet\r\nreptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka\r\n2022-04-27 ⋅ Trendmicro ⋅ Trendmicro\r\nIOCs for Earth Berberoka - Windows\r\nAsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka 2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nNew APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware\r\nHelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka 2022-04-14 ⋅ NSHC RedAlert Labs ⋅\r\nNSHC Threatrecon Team\r\nHacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB\r\nPlugX 2022-04-12 ⋅ Max Kersten's Blog ⋅ Max Kersten\r\nGhidra script to handle stack strings\r\nCaddyWiper PlugX 2022-03-28 ⋅ Trellix ⋅ Marc Elias, Max Kersten\r\nPlugX: A Talisman to Behold\r\nPlugX 2022-03-25 ⋅ ⋅ ESET Research ⋅ Alexandre Côté Cyr\r\nMustang Panda's Hodur: Old stuff, new variant of Korplug\r\nPlugX 2022-03-24 ⋅ Threat Post ⋅ Nate Nelson\r\nChinese APT Combines Fresh Hodur RAT with Complex Anti-Detection\r\nPlugX 2022-03-23 ⋅ ESET Research ⋅ Alexandre Côté Cyr\r\nMustang Panda’s Hodur: Old tricks, new Korplug variant\r\nHodur PlugX 2022-03-23 ⋅ BleepingComputer ⋅ Bill Toulas\r\nNew Mustang Panda hacking campaign targets diplomats, ISPs\r\nPlugX 2022-03-07 ⋅ Proofpoint ⋅ Michael Raggi, Myrtus 0x0\r\nThe Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as\r\nConflict in Ukraine Escalates\r\nPlugX MUSTANG PANDA 2022-02-17 ⋅ SinaCyber ⋅ Adam Kozy\r\nTestimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber\r\nCapabilities: Warfare, Espionage, and Implications for the United States”\r\nPlugX APT26 APT41 2022-01-06 ⋅ Cyber And Ramen blog ⋅ Mike R\r\nA “GULP” of PlugX\r\nPlugX 2021-12-01 ⋅ ESET Research ⋅ Alexis Dorais-Joncas, Facundo Muñoz\r\nJumping the air gap: 15 years of nation‑state effort\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 5 of 12\n\nAgent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry 2021-11-18 ⋅ Cisco ⋅ Josh Pyorre\r\nBlackMatter, LockBit, and THOR\r\nBlackMatter LockBit PlugX 2021-11-04 ⋅ Youtube (Virus Bulletin) ⋅ Joey Chen, Yi-Jhen Hsieh\r\nShadowPad: the masterpiece of privately sold malware in Chinese espionage\r\nPlugX ShadowPad 2021-10-18 ⋅ NortonLifeLock ⋅ Norton Labs\r\nOperation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church\r\nNewBounce PlugX Zupdax 2021-09-28 ⋅ Recorded Future ⋅ Insikt Group®\r\n4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan\r\nPlugX Winnti 2021-09-14 ⋅ McAfee ⋅ Christiaan Beek\r\nOperation ‘Harvest’: A Deep Dive into a Long-term Campaign\r\nMimiKatz PlugX Winnti 2021-09-10 ⋅ The Record ⋅ Catalin Cimpanu\r\nIndonesian intelligence agency compromised in suspected Chinese hack\r\nPlugX 2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li\r\nMem2Img: Memory-Resident Malware Detection via Convolution Neural Network\r\nCobalt Strike PlugX Waterbear 2021-09-01 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Joey Chen, Yi-Jhen Hsieh\r\nSHADOWPAD: Chinese Espionage Malware-as-a-Service\r\nPlugX ShadowPad 2021-08-23 ⋅ SentinelOne ⋅ Joey Chen, Yi-Jhen Hsieh\r\nShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage\r\nPlugX ShadowPad 2021-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe, Mike Harbison\r\nTHOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG\r\nGroup\r\nPlugX 2021-07-21 ⋅ Bitdefender ⋅ Bogdan Botezatu, Victor Vrabie\r\nLuminousMoth – PlugX, File Exfiltration and Persistence Revisited\r\nPlugX 2021-06-16 ⋅ Recorded Future ⋅ Insikt Group®\r\nThreat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries\r\nIcefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA 2021-06-02 ⋅ xorhex blog ⋅ Twitter (@xorhex)\r\nRedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure\r\nPlugX 2021-06-02 ⋅ Twitter (@xorhex) ⋅ Xorhex\r\nTweet on new variant of PlugX from RedDelta Group\r\nPlugX 2021-05-27 ⋅ xorhex blog ⋅ Twitter (@xorhex)\r\nMustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config\r\nPlugX 2021-05-17 ⋅ xorhex blog ⋅ Twitter (@xorhex)\r\nMustang Panda PlugX - 45.251.240.55 Pivot\r\nPlugX 2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li\r\nMem2Img: Memory-Resident Malware Detection via Convolution Neural Network\r\nCobalt Strike PlugX Waterbear 2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu\r\nRedEcho group parks domains after public exposure\r\nPlugX ShadowPad RedEcho 2021-03-25 ⋅ Recorded Future ⋅ Insikt Group®\r\nSuspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers\r\nMeterpreter PlugX 2021-03-17 ⋅ Recorded Future ⋅ Insikt Group®\r\nChina-linked TA428 Continues to Target Russia and Mongolia IT Companies\r\nPlugX Poison Ivy TA428 2021-03-10 ⋅ ESET Research ⋅ Mathieu Tartare, Matthieu Faou, Thomas Dupuy\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 6 of 12\n\nExchange servers under siege from at least 10 APT groups\r\nMicrocin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda 2021-02-28 ⋅\r\nPWC UK ⋅ PWC UK\r\nCyber Threats 2020: A Year in Retrospect\r\nelf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot\r\nBazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx\r\nFunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk\r\nStoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess\r\nWinnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception\r\nFramework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team 2021-02-28 ⋅ Recorded Future ⋅ Insikt\r\nGroup®\r\nChina-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions\r\nIcefog PlugX ShadowPad 2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®\r\nChina-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions\r\nPlugX ShadowPad RedEcho 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-08 ⋅ Myanmar Computer Emergency Response Team ⋅ Myanmar Computer\r\nEmergency Response Team\r\nPlugX Removal Guide Version 1.2\r\nPlugX 2021-01-20 ⋅ Trend Micro ⋅ Abraham Camba, Gilbert Sison, Ryan Maglaque\r\nXDR investigation uncovers PlugX, unique technique in APT attack\r\nPlugX 2021-01-15 ⋅ Swisscom ⋅ Markus Neis\r\nCracking a Soft Cell is Harder Than You Think\r\nGhost RAT MimiKatz PlugX Poison Ivy Trochilus RAT 2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence\r\nHigaisa or Winnti? APT41 backdoors, old and new\r\nCobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad 2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nCommand and Control Traffic Patterns\r\nostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID\r\nISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot 2021-01-04 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nChina's APT hackers move to ransomware attacks\r\nClambling PlugX 2020-12-24 ⋅ IronNet ⋅ Adam Hlavek\r\nChina cyber attacks: the current threat landscape\r\nPLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti 2020-12-10 ⋅ ESET Research ⋅ Mathieu\r\nTartare\r\nOperation StealthyTrident: corporate software under attack\r\nHyperBro PlugX ShadowPad Tmanger 2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare\r\nOperation StealthyTrident: corporate software under attack\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 7 of 12\n\nHyperBro PlugX Tmanger TA428 2020-12-09 ⋅ Avast Decoded ⋅ Igor Morgenstern, Luigino Camastra\r\nAPT Group Targeting Governmental Agencies in East Asia\r\nAlbaniiutas HyperBro PlugX PolPo Tmanger 2020-12-09 ⋅ Avast Decoded ⋅ Igor Morgenstern, Luigino Camastra\r\nAPT Group Targeting Governmental Agencies in East Asia\r\nAlbaniiutas HyperBro PlugX Tmanger TA428 2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team\r\nTA416 Goes to Ground and Returns with a Golang PlugX Malware Loader\r\nPlugX MUSTANG PANDA 2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison\r\nWeaponizing Open Source Software for Targeted Attacks\r\nLaZagne Defray PlugX 2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos\r\nA new APT uses DLL side-loads to “KilllSomeOne”\r\nKilllSomeOne PlugX 2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q3 2020\r\nWellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack\r\nLODEINFO MoriAgent Okrum PlugX POISONPLUG Rover ShadowPad SoreFang Winnti 2020-10-27 ⋅ Dr.Web ⋅\r\nDr.Web\r\nStudy of the ShadowPad APT backdoor and its relation to PlugX\r\nGhost RAT PlugX ShadowPad 2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team\r\nAPT41: Indictments Put Chinese Espionage Group in the Spotlight\r\nCROSSWALK PlugX POISONPLUG ShadowPad Winnti 2020-09-15 ⋅ Recorded Future ⋅ Insikt Group®\r\nBack Despite Disruption: RedDelta Resumes Operations\r\nPlugX 2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team\r\nResearch Roundup: Activity on Previously Identified APT33 Domains\r\nEmotet PlugX APT33 2020-07-29 ⋅ ESET Research ⋅ welivesecurity\r\nTHREAT REPORT Q2 2020\r\nDEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB\r\nLocker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin\r\nNemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor 2020-07-29 ⋅ Recorded Future\r\n⋅ Insikt Group\r\nChinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations\r\nPlugX 2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2020\r\nPhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya\r\nGodlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess\r\nX-Agent XTunnel 2020-07-28 ⋅ ⋅ NTT ⋅ NTT Security\r\nCraftyPanda 標的型攻撃解析レポート\r\nGhost RAT PlugX 2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon\r\nWhat even is Winnti?\r\nCCleaner Backdoor Ghost RAT PlugX ZXShell 2020-07-20 ⋅ Dr.Web ⋅ Dr.Web\r\nStudy of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan\r\nMicrocin Mirage PlugX WhiteBird 2020-07-20 ⋅ or10nlabs ⋅ oR10n\r\nReverse Engineering the New Mustang Panda PlugX Downloader\r\nPlugX 2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 8 of 12\n\nChinese state hackers target Hong Kong Catholic Church\r\nPlugX 2020-07-05 ⋅ or10nlabs ⋅ oR10n\r\nReverse Engineering the Mustang Panda PlugX RAT – Extracting the Config\r\nPlugX 2020-07-01 ⋅ Contextis ⋅ Lampros Noutsos, Oliver Fay\r\nDLL Search Order Hijacking\r\nCobalt Strike PlugX 2020-06-03 ⋅ Kaspersky Labs ⋅ Giampaolo Dedola, GReAT, Mark Lechtik\r\nCycldek: Bridging the (air) gap\r\n8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing 2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii\r\nMustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers\r\nPlugX 2020-05-24 ⋅ or10nlabs ⋅ oR10n\r\nReverse Engineering the Mustang Panda PlugX Loader\r\nPlugX 2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller\r\nTweet on SOGU development timeline, including TIGERPLUG IOCs\r\nPlugX 2020-05-14 ⋅ Lab52 ⋅ Dex\r\nThe energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey\r\nCobalt Strike HTran MimiKatz PlugX Quasar RAT 2020-05-01 ⋅ ⋅ Viettel Cybersecurity ⋅ Cyberthreat\r\nChiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)\r\nNewCore RAT PlugX 2020-03-22 ⋅ Anomali ⋅ Anomali Threat Research\r\nCOVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication\r\nPlugX 2020-03-19 ⋅ ⋅ VinCSS ⋅ m4n0w4r\r\nAnalysis of malware taking advantage of the Covid-19 epidemic to spread fake \"Directive of Prime Minister\r\nNguyen Xuan Phuc\" - Part 2\r\nPlugX 2020-03-10 ⋅ ⋅ VinCSS ⋅ m4n0w4r\r\n[RE012] Analysis of malware taking advantage of the Covid-19 epidemic to spread fake \"Directive of Prime\r\nMinister Nguyen Xuan Phuc\" - Part 1\r\nPlugX 2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe\r\nPulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state\r\nadversary\r\nHenBox Farseer PlugX Poison Ivy 2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR\r\nAPT10 Threat Analysis Report\r\nCHINACHOPPER HTran MimiKatz PlugX Quasar RAT 2020-02-18 ⋅ Trend Micro ⋅ Cedric Pernet, Daniel Lunghi, Jamz\r\nYaneza, Kenney Lu\r\nUncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations\r\nCobalt Strike HyperBro PlugX Trochilus RAT Operation DRBControl 2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo\r\nChen, Zero Chen\r\nCLAMBLING - A New Backdoor Base On Dropbox\r\nHyperBro PlugX 2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard\r\nNew wave of PlugX targets Hong Kong\r\nPlugX 2020-01-31 ⋅ YouTube (Context Information Security) ⋅ Contextis\r\nNew AVIVORE threat group – how they operate and managing the risk\r\nPlugX 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE ATLAS\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 9 of 12\n\nSpeculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz\r\nPlugX Winnti APT41 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE EXPRESS\r\n9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE FIRESTONE\r\n9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE KEYSTONE\r\n9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17 2020-01-01 ⋅ Secureworks\r\n⋅ SecureWorks\r\nBRONZE OLIVE\r\nANGRYREBEL PlugX APT22 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE OVERBROOK\r\nAveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE PRESIDENT\r\nCHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE RIVERSIDE\r\nAnel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE UNION\r\n9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell\r\nAPT27 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE WOODLAND\r\nPlugX Zeus Roaming Tiger 2020-01-01 ⋅ Dragos ⋅ Joe Slowik\r\nThreat Intelligence and the Limits of Malware Analysis\r\nExaramel Exaramel Industroyer Lookback NjRAT PlugX 2019-12-29 ⋅ Secureworks ⋅ CTU Research Team\r\nBRONZE PRESIDENT Targets NGOs\r\nPlugX 2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler\r\nFresh PlugX October 2019\r\nPlugX 2019-11-11 ⋅ Virus Bulletin ⋅ Hiroshi Soeda, Shusei Tomonaga, Tomoaki Tani, Wataru Takahashi\r\nAPT cases exploiting vulnerabilities in region‑specific software\r\nNodeRAT Emdivi PlugX 2019-10-31 ⋅ PTSecurity ⋅ PTSecurity\r\nCalypso APT: new group attacking state institutions\r\nBYEBY FlyingDutchman Hussar PlugX 2019-10-22 ⋅ Contextis ⋅ Contextis\r\nAVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper)\r\nPlugX Avivore 2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe\r\nPKPLUG: Chinese Cyber Espionage Group Attacking Asia\r\nHenBox Farseer PlugX 2019-10-03 ⋅ ComputerWeekly ⋅ Alex Scroxton\r\nNew threat group behind Airbus cyber attacks, claim researchers\r\nPlugX Avivore 2019-09-23 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nAPT41\r\nDerusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire\r\nDownloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 2019-06-19 ⋅ YouTube (44CON\r\nInformation Security Conference) ⋅ Kevin O’Reilly\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 10 of 12\n\nThe Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware\r\nPlugX 2019-06-03 ⋅ FireEye ⋅ Chi-en Shen\r\nInto the Fog - The Return of ICEFOG APT\r\nIcefog PlugX Sarhust 2019-05-24 ⋅ Fortinet ⋅ Ben Hunter\r\nUncovering new Activity by APT10\r\nPlugX Quasar RAT 2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team\r\nSectorM04 Targeting Singapore – An Analysis\r\nPlugX Termite 2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD\r\nInvestigationreport: Compromise of an Australian companyvia their Managed Service Provider\r\nPlugX RedLeaves 2018-08-21 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen, Kawabata Kohei, Kenney Lu\r\nOperation Red Signature Targets South Korean Companies\r\n9002 RAT PlugX Operation Red Signature 2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier\r\nMalicious document targets Vietnamese officials\r\n8.t Dropper PlugX 1937CN 2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha\r\nMalware Analysis - PlugX - Part 2\r\nPlugX 2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov\r\nTime of death? A therapeutic postmortem of connected medicine\r\nPlugX 2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha\r\nMALWARE ANALYSIS – PLUGX\r\nPlugX 2017-12-18 ⋅ ⋅ LAC ⋅ Yoshihiro Ishikawa\r\nRelationship between PlugX and attacker group \"DragonOK\"\r\nPlugX 2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Esmid Idrizovic, Tom Lancaster\r\nParanoid PlugX\r\nPlugX 2017-05-31 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nAxiom\r\nDerusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 2017-04-27 ⋅ US-CERT ⋅ US-CERT\r\nAlert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors\r\nPlugX RedLeaves 2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga\r\nRedLeaves - Malware Based on Open Source RAT\r\nPlugX RedLeaves Trochilus RAT 2017-04-01 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers\r\nOperation Cloud Hopper: Technical Annex\r\nChChes PlugX Quasar RAT RedLeaves Trochilus RAT 2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga\r\nPlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code\r\nPlugX 2017-02-13 ⋅ RSA ⋅ RSA Research\r\nKINGSLAYER – A SUPPLY CHAIN ATTACK\r\nCodeKey PlugX 2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs\r\nUnpacking the spyware disguised as antivirus\r\nPlugX 2016-06-13 ⋅ ⋅ Macnica Networks ⋅ Macnica Networks\r\nSurvey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition\r\nEmdivi PlugX 2016-01-22 ⋅ RSA Link ⋅ Norton Santos\r\nPlugX APT Malware\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 11 of 12\n\nPlugX 2015-09-15 ⋅ Proofpoint ⋅ Aleksey F, Thoufique Haq\r\nIn Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia\r\nPlugX 2015-08-01 ⋅ Arbor Networks ⋅ ASERT Team\r\nUncovering the Seven Pointed Dagger\r\n9002 RAT EvilGrab PlugX Trochilus RAT APT9 2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike\r\nCrowdStrike Global Threat Intel Report 2014\r\nBlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser MedusaHTTP Mirage Naikon\r\nNetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor 2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga\r\nAnalysis of a Recent PlugX Variant - “P2P PlugX”\r\nPlugX 2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos\r\nPlugX - The Next Generation\r\nPlugX 2014-06-10 ⋅ FireEye ⋅ Mike Scott\r\nClandestine Fox, Part Deux\r\nPlugX 2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud\r\nPlugX: some uncovered points\r\nPlugX 2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL\r\nAnalysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)\r\nPlugX 2013-03-26 ⋅ Contextis ⋅ Kevin O’Reilly\r\nPlugX–Payload Extraction\r\nPlugX 2013-02-27 ⋅ Trend Micro ⋅ Abraham Camba\r\nBKDR_RARSTONE: New RAT to Watch Out For\r\nPlugX Naikon 2012-02-10 ⋅ tracker.h3x.eu ⋅ Malware Corpus Tracker\r\nInfo for Family: plugx\r\nPlugX\r\n[TLP:WHITE] win_plugx_auto (20251219 | Detects win.plugx.)\r\n[TLP:WHITE] win_plugx_w1   (20170517 | PlugX Identifying Strings)\r\n[TLP:WHITE] win_plugx_w2   (20170517 | PlugX RAT)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.plugx\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx" ], "report_names": [ "win.plugx" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "7c00086d-9535-4552-8201-1dd725e41b12", "created_at": "2023-04-26T02:03:03.128736Z", "updated_at": "2026-04-10T02:00:05.239152Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [ "LuminousMoth" ], "source_name": "MITRE:LuminousMoth", "tools": [ "PlugX", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ef8ed28b-6afb-4447-b560-0df2892b8f1c", "created_at": "2023-06-23T02:04:34.315779Z", "updated_at": "2026-04-10T02:00:04.738599Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "ETDA:Lancefly", "tools": [ "Merdoor" ], "source_id": "ETDA", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7936e2f8-5179-414a-8b57-530c28062f26", "created_at": "2023-04-27T02:04:45.231554Z", "updated_at": "2026-04-10T02:00:04.87247Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "ETDA:RedGolf", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "ELFSHELF", "KEYPLUG", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0fca7692-4a21-482f-a113-9548b49e8531", "created_at": "2022-10-25T16:07:24.117599Z", "updated_at": "2026-04-10T02:00:04.870741Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [], "source_name": "ETDA:RedEcho", "tools": [ "POISONPLUG.SHADOW", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "71b19e59-b5f7-4bc6-816d-194be0f02af0", "created_at": "2022-10-25T16:07:24.301036Z", "updated_at": "2026-04-10T02:00:04.928222Z", "deleted_at": null, "main_name": "Taidoor", "aliases": [ "Budminer", "Earth Aughisky", "G0015" ], "source_name": "ETDA:Taidoor", "tools": [ "Dripion", "Masson", "Taidoor", "simbot" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f799b96d-bc59-4b35-ae5c-dfe87e5b735b", "created_at": "2023-04-26T02:02:01.286476Z", "updated_at": "2026-04-10T02:00:03.363506Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "MISPGALAXY:RedGolf", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ffc66b49-9396-46af-966f-9376c4315f32", "created_at": "2023-11-21T02:00:07.339061Z", "updated_at": "2026-04-10T02:00:03.462317Z", "deleted_at": null, "main_name": "CL-STA-0043", "aliases": [ "TGR-STA-0043" ], "source_name": "MISPGALAXY:CL-STA-0043", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc91d469-ec69-497b-81d7-068b84501e63", "created_at": "2023-01-06T13:46:39.192791Z", "updated_at": "2026-04-10T02:00:03.242063Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [], "source_name": "MISPGALAXY:RedEcho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "680d62c6-23e2-411b-86e9-af6dc6a64d53", "created_at": "2023-01-06T13:46:39.329055Z", "updated_at": "2026-04-10T02:00:03.289076Z", "deleted_at": null, "main_name": "Avivore", "aliases": [], "source_name": "MISPGALAXY:Avivore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "81a3e326-a23a-4b8b-ae07-2e6679b3f2b3", "created_at": "2023-11-04T02:00:07.682997Z", "updated_at": "2026-04-10T02:00:03.391958Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "MISPGALAXY:Lancefly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f21d7691-a720-46bb-81d7-11edb9f73eba", "created_at": "2023-11-08T02:00:07.126478Z", "updated_at": "2026-04-10T02:00:03.420826Z", "deleted_at": null, "main_name": "1937CN", "aliases": [], "source_name": "MISPGALAXY:1937CN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d027fba8-ffe7-4093-aa0d-833b52ce4427", "created_at": "2023-01-06T13:46:39.438394Z", "updated_at": "2026-04-10T02:00:03.326914Z", "deleted_at": null, "main_name": "TianWu", "aliases": [], "source_name": "MISPGALAXY:TianWu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e8f802c-efba-45ff-8844-5ea4e4a5297d", "created_at": "2023-11-07T02:00:07.092751Z", "updated_at": "2026-04-10T02:00:03.404589Z", "deleted_at": null, "main_name": "Witchetty", "aliases": [ "LookingFrog" ], "source_name": "MISPGALAXY:Witchetty", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "a080173e-7141-4d46-831d-a5f15ebef31a", "created_at": "2023-01-06T13:46:38.629955Z", "updated_at": "2026-04-10T02:00:03.044597Z", "deleted_at": null, "main_name": "APT26", "aliases": [ "JerseyMikes", "TURBINE PANDA", "BRONZE EXPRESS", "TECHNETIUM", "Taffeta Typhoon" ], "source_name": "MISPGALAXY:APT26", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef", "created_at": "2023-01-06T13:46:38.998658Z", "updated_at": "2026-04-10T02:00:03.176186Z", "deleted_at": null, "main_name": "Taidoor", "aliases": [ "G0015", "Earth Aughisky" ], "source_name": "MISPGALAXY:Taidoor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "866c0c21-8de3-4ad5-9887-cecd44feb788", "created_at": "2022-10-25T16:07:24.130298Z", "updated_at": "2026-04-10T02:00:04.875929Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "Bronze Woodland", "CTG-7273", "Rotten Tomato" ], "source_name": "ETDA:Roaming Tiger", "tools": [ "Agent.dhwf", "AngryRebel", "BBSRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "78090a48-ca66-4cd8-a454-04d947e9c887", "created_at": "2023-01-06T13:46:38.303662Z", "updated_at": "2026-04-10T02:00:02.919567Z", "deleted_at": null, "main_name": "Hellsing", "aliases": [], "source_name": "MISPGALAXY:Hellsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8860d9ac-afa8-454d-9d86-926aa8dd5019", "created_at": "2024-02-08T02:00:04.313581Z", "updated_at": "2026-04-10T02:00:03.582422Z", "deleted_at": null, "main_name": "Operation Red Signature", "aliases": [], "source_name": "MISPGALAXY:Operation Red Signature", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d5451198-ac6b-40af-b8ef-1afb549c2dc8", "created_at": "2024-03-21T02:00:04.728286Z", "updated_at": "2026-04-10T02:00:03.60345Z", "deleted_at": null, "main_name": "Earth Krahang", "aliases": [], "source_name": "MISPGALAXY:Earth Krahang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f45af9e4-5037-4a5a-82c1-4627845eea49", "created_at": "2024-09-26T02:00:04.286721Z", "updated_at": "2026-04-10T02:00:03.707415Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "MISPGALAXY:Earth Baxia", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "df9bfbf1-bb9d-492f-b381-95b9e1482267", "created_at": "2022-10-25T16:07:24.394491Z", "updated_at": "2026-04-10T02:00:04.973663Z", "deleted_at": null, "main_name": "Whitefly", "aliases": [ "ATK 83", "Bronze Walker", "G0103", "G0107", "Mofang", "SectorM04", "TEMP.Mimic" ], "source_name": "ETDA:Whitefly", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Nibatad", "Shim RAT", "ShimRAT", "Vcrodat" ], "source_id": "ETDA", "reports": null }, { "id": "48782737-377b-47b4-aff0-87424208a643", "created_at": "2023-01-06T13:46:38.569144Z", "updated_at": "2026-04-10T02:00:03.02685Z", "deleted_at": null, "main_name": "Blue Termite", "aliases": [ "Cloudy Omega", "Emdivi" ], "source_name": "MISPGALAXY:Blue Termite", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "f86ac24d-0aef-425c-8087-c0dd270060b9", "created_at": "2024-04-24T02:02:07.638437Z", "updated_at": "2026-04-10T02:00:04.663683Z", "deleted_at": null, "main_name": "Earth Krahang", "aliases": [], "source_name": "ETDA:Earth Krahang", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "DinodasRAT", "Kaba", "Korplug", "POISONPLUG.SHADOW", "PlugX", "RedDelta", "Reshell", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XDealer", "XShellGhost", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "0e62ad61-c51d-460e-a587-b11d17bb2fb3", "created_at": "2024-10-04T02:00:04.754794Z", "updated_at": "2026-04-10T02:00:03.712878Z", "deleted_at": null, "main_name": "DragonRank", "aliases": [], "source_name": "MISPGALAXY:DragonRank", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e737c474-a1f2-4e18-9d78-1c00f0887fa0", "created_at": "2023-11-05T02:00:08.085728Z", "updated_at": "2026-04-10T02:00:03.401539Z", "deleted_at": null, "main_name": "Carderbee", "aliases": [], "source_name": "MISPGALAXY:Carderbee", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "478e9b27-39b9-49e4-a3c5-81569a767275", "created_at": "2022-10-25T15:50:23.417339Z", "updated_at": "2026-04-10T02:00:05.41593Z", "deleted_at": null, "main_name": "Taidoor", "aliases": [ "Taidoor" ], "source_name": "MITRE:Taidoor", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b", "created_at": "2023-01-06T13:46:39.181151Z", "updated_at": "2026-04-10T02:00:03.237995Z", "deleted_at": null, "main_name": "Red Charon", "aliases": [], "source_name": "MISPGALAXY:Red Charon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "7f177406-ec53-4a0e-83b8-9876130c9e73", "created_at": "2024-08-28T02:02:09.350152Z", "updated_at": "2026-04-10T02:00:04.69275Z", "deleted_at": null, "main_name": "APT9", "aliases": [], "source_name": "ETDA:APT9", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "699b7efc-322d-489d-818d-823fac028124", "created_at": "2023-01-06T13:46:39.404825Z", "updated_at": "2026-04-10T02:00:03.315524Z", "deleted_at": null, "main_name": "APT9", "aliases": [ "NIGHTSHADE PANDA", "Red Pegasus", "Group 27" ], "source_name": "MISPGALAXY:APT9", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "df299f24-89cb-47e3-9515-c018bb501443", "created_at": "2023-11-21T02:00:07.383392Z", "updated_at": "2026-04-10T02:00:03.473887Z", "deleted_at": null, "main_name": "Moshen Dragon", "aliases": [], "source_name": "MISPGALAXY:Moshen Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "3b978023-9d82-46fb-b836-a0d011504d2c", "created_at": "2022-10-25T16:07:23.368134Z", "updated_at": "2026-04-10T02:00:04.568035Z", "deleted_at": null, "main_name": "AVIVORE", "aliases": [], "source_name": "ETDA:AVIVORE", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b7f4f69-7c56-4691-9071-9365884a7f30", "created_at": "2024-10-25T02:02:07.672671Z", "updated_at": "2026-04-10T02:00:04.660715Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "ETDA:Earth Baxia", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EAGLEDOOR", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d24c2548-d163-4a73-865f-0d4cb917fee7", "created_at": "2024-04-20T02:00:03.580316Z", "updated_at": "2026-04-10T02:00:03.628323Z", "deleted_at": null, "main_name": "UNC3569", "aliases": [], "source_name": "MISPGALAXY:UNC3569", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "446025dc-d003-448e-a5ea-43ce24bc883d", "created_at": "2022-10-25T16:07:23.997281Z", "updated_at": "2026-04-10T02:00:04.827365Z", "deleted_at": null, "main_name": "Operation Red Signature", "aliases": [], "source_name": "ETDA:Operation Red Signature", "tools": [ "9002 RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "McRAT", "MdmBot", "Roarur" ], "source_id": "ETDA", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "273a41a8-5115-4f55-865f-0960a765f18c", "created_at": "2022-10-25T16:07:24.397947Z", "updated_at": "2026-04-10T02:00:04.974605Z", "deleted_at": null, "main_name": "Wicked Spider", "aliases": [ "APT 22", "Bronze Export", "Bronze Olive", "Wicked Spider" ], "source_name": "ETDA:Wicked Spider", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6dbb9bfb-3d63-4f81-99bd-35d61304d82a", "created_at": "2023-01-06T13:46:39.441522Z", "updated_at": "2026-04-10T02:00:03.330836Z", "deleted_at": null, "main_name": "SLIME29", "aliases": [], "source_name": "MISPGALAXY:SLIME29", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28ed64bd-f692-4fb4-b41e-cb8d0397bea6", "created_at": "2025-03-07T02:00:03.803851Z", "updated_at": "2026-04-10T02:00:03.833101Z", "deleted_at": null, "main_name": "Teleboyi", "aliases": [], "source_name": "MISPGALAXY:Teleboyi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5fba09c3-73cc-4898-9b82-e73b012016c6", "created_at": "2025-08-07T02:03:24.578591Z", "updated_at": "2026-04-10T02:00:03.767329Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "Secureworks:BRONZE EDGEWOOD", "tools": [ "Chinoxy", "Cobalt Strike", "FunnyDream", "Md_client", "Nishang Post Exploitation Framework", "PCShare", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "822063cf-d9bd-499a-9715-70d95881378f", "created_at": "2025-04-23T02:00:55.295207Z", "updated_at": "2026-04-10T02:00:05.254566Z", "deleted_at": null, "main_name": "Velvet Ant", "aliases": [ "Velvet Ant" ], "source_name": "MITRE:Velvet Ant", "tools": [ "PlugX", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "64af9eaa-e528-42d2-95c6-f55aa0a13df5", "created_at": "2025-04-23T02:00:55.201298Z", "updated_at": "2026-04-10T02:00:05.33852Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [ "RedEcho" ], "source_name": "MITRE:RedEcho", "tools": [ "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9c8a7541-1ce3-450a-9e41-494bc7af11a4", "created_at": "2023-01-06T13:46:39.358343Z", "updated_at": "2026-04-10T02:00:03.300601Z", "deleted_at": null, "main_name": "Red Menshen", "aliases": [ "Earth Bluecrow", "Red Dev 18" ], "source_name": "MISPGALAXY:Red Menshen", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "92049df8-7902-48e8-ad17-97398b923698", "created_at": "2022-10-25T16:07:23.81315Z", "updated_at": "2026-04-10T02:00:04.757082Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [], "source_name": "ETDA:LuminousMoth", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "17cfc7a6-c8f2-4806-b77f-ba23fb772e70", "created_at": "2023-09-07T02:02:47.182792Z", "updated_at": "2026-04-10T02:00:04.604605Z", "deleted_at": null, "main_name": "Carderbee", "aliases": [], "source_name": "ETDA:Carderbee", "tools": [ "Agent.dhwf", "Cobra DocGuard", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "5afe7b81-e99a-4c24-8fcc-250fb0cf40a3", "created_at": "2023-01-06T13:46:38.324616Z", "updated_at": "2026-04-10T02:00:02.928697Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "BRONZE WOODLAND", "Rotten Tomato" ], "source_name": "MISPGALAXY:Roaming Tiger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f72bb9d8-ff75-444f-8fb7-1e8e113cef73", "created_at": "2023-01-06T13:46:39.401929Z", "updated_at": "2026-04-10T02:00:03.314524Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "MISPGALAXY:BRONZE EDGEWOOD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "cff2cedd-a198-4e79-ae67-19048084ae7f", "created_at": "2024-06-20T02:02:09.945126Z", "updated_at": "2026-04-10T02:00:04.79991Z", "deleted_at": null, "main_name": "Operation Diplomatic Specter", "aliases": [ "CL-STA-0043", "TGR-STA-0043" ], "source_name": "ETDA:Operation Diplomatic Specter", "tools": [ "Agent Racoon", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "HTran", "HUC Packet Transmit Tool", "JuicyPotatoNG", "Kaba", "Korplug", "LadonGo", "Mimikatz", "Mimilite", "Moudour", "Mydoor", "NBTscan", "Ntospy", "PCRat", "PlugX", "RedDelta", "SharpEfsPotato", "SinoChopper", "Sogu", "SweetSpecter", "TIGERPLUG", "TVT", "Thoper", "TunnelSpecter", "Xamtrav", "Yasso", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "ee9a20b1-c6d6-42da-909d-66e7699723d1", "created_at": "2025-08-07T02:03:24.704306Z", "updated_at": "2026-04-10T02:00:03.722506Z", "deleted_at": null, "main_name": "BRONZE WOODLAND", "aliases": [ "CTG-7273 ", "Roaming Tiger ", "Rotten Tomato " ], "source_name": "Secureworks:BRONZE WOODLAND", "tools": [ "Appat", "BbsRAT", "PlugX", "Zbot" ], "source_id": "Secureworks", "reports": null }, { "id": "1820b6d5-4c68-4c37-bd25-034fd77cf1bf", "created_at": "2026-01-17T02:00:03.195495Z", "updated_at": "2026-04-10T02:00:03.89438Z", "deleted_at": null, "main_name": "CL-STA-0048", "aliases": [ "CL STA 0048" ], "source_name": "MISPGALAXY:CL-STA-0048", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e09a03a6-ce6c-4f6b-b8c6-38c3edecd743", "created_at": "2026-01-20T02:00:03.665377Z", "updated_at": "2026-04-10T02:00:03.915084Z", "deleted_at": null, "main_name": "UNC6384", "aliases": [], "source_name": "MISPGALAXY:UNC6384", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b409af-b2ea-43b8-9223-e01d982e00ce", "created_at": "2022-10-25T16:07:23.966265Z", "updated_at": "2026-04-10T02:00:04.810937Z", "deleted_at": null, "main_name": "Operation Harvest", "aliases": [], "source_name": "ETDA:Operation Harvest", "tools": [ "Agent.dhwf", "BadPotato", "BleDoor", "Destroy RAT", "DestroyRAT", "Impacket", "Kaba", "Korplug", "Mimikatz", "NBTscan", "PlugX", "ProcDump", "PsExec", "RbDoor", "RedDelta", "RibDoor", "RottenPotato", "SMBExec", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WinRAR", "Winnti", "Xamtrav", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "0c0d8f44-d131-41c8-a693-efb687e777f1", "created_at": "2024-06-20T02:02:10.211899Z", "updated_at": "2026-04-10T02:00:04.962606Z", "deleted_at": null, "main_name": "Velvet Ant", "aliases": [], "source_name": "ETDA:Velvet Ant", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "ESRDE", "Kaba", "Korplug", "POISONPLUG.SHADOW", "PlugX", "RedDelta", "SAMRID", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "VELVETSTING", "VELVETTAP", "XShellGhost", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434819, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b73f7bea7b5c24090ad3b53eab5c8dc280c7a693.pdf", "text": "https://archive.orkl.eu/b73f7bea7b5c24090ad3b53eab5c8dc280c7a693.txt", "img": "https://archive.orkl.eu/b73f7bea7b5c24090ad3b53eab5c8dc280c7a693.jpg" } }