{ "id": "aaa93e17-29e0-4f93-a9e3-c975df5a1184", "created_at": "2026-04-06T00:10:08.851529Z", "updated_at": "2026-04-10T03:37:51.374791Z", "deleted_at": null, "sha1_hash": "b9e3028aa01afb5984e7e1796b5914dd7f40309c", "title": "Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1011313, "plain_text": "Chinese Entanglement | DLL Hijacking in the Asian Gambling\r\nSector\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-08-17 · Archived: 2026-04-05 12:46:44 UTC\r\nBy Aleksandar Milenkoski and Tom Hegel\r\nExecutive Summary\r\nSentinelLABS has identified suspected-Chinese malware and infrastructure potentially involved in China-associated operations directed at the gambling sector within Southeast Asia.\r\nThe threat actors drop Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables\r\nvulnerable to DLL hijacking to deploy Cobalt Strike beacons.\r\nWe’ve observed related malware using the signature of a likely stolen code signing certificate issued to\r\nPMG PTE LTD, a Singapore-based vendor of Ivacy VPN services.\r\nIndicators point to the China-aligned BRONZE STARLIGHT group; however, the exact grouping remains\r\nunclear due to the interconnected relationships among various Chinese APT groups.\r\nOverview\r\nThriving after China’s crackdown on its Macao-based gambling industry, the Southeast Asian gambling sector has\r\nbecome a focal point for the country’s interests in the region, particularly data collection for monitoring and\r\ncountering related activities in China.\r\nWe observed malware and infrastructure likely related to China-aligned activities targeting this sector. The\r\nmalware and infrastructure we analyze are related to indicators observed in Operation ChattyGoblin and are likely\r\npart of the same activity cluster. Operation ChattyGoblin is ESET’s name for a series of attacks by China-nexus\r\nactors targeting Southeast Asian gambling companies with trojanized Comm100 and LiveHelp100 chat\r\napplications.\r\nThe targeting, used malware, and C2 infrastructure specifics point to past activities that third parties have linked to\r\nthe China-aligned BRONZE STARLIGHT group (also known as DEV-0401 or SLIME34). This is a suspected\r\nChinese ‘ransomware’ group whose main goal appears to be espionage rather than financial gain, using\r\nransomware as means for distraction or misattribution. Team T5 has also reported on BRONZE STARLIGHT’s\r\npolitically-motivated involvement in targeting the Southeast Asian gambling industry.\r\nDespite the indicators observed, accurate clustering remains challenging. The Chinese APT ecosystem is plagued\r\nby extensive sharing of malware and infrastructure management processes between groups, making high\r\nconfidence clustering difficult based on current visibility. Our analysis has led us to historical artifacts that\r\nrepresent points of convergence between BRONZE STARLIGHT and other China-based actors, which showcases\r\nthe complexity of a Chinese threat ecosystem composed of closely affiliated groups.\r\nhttps://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/\r\nPage 1 of 8\n\nBackground\r\nESET reported that a ChattyGoblin-related attack in March 2023 targeted the support agents of a gambling\r\ncompany in the Philippines. In the attack, a trojanized LiveHelp100 application downloaded a .NET malware\r\nloader named agentupdate_plugins.exe . The final payload was a Cobalt Strike beacon using the\r\nduckducklive[.]top domain for C2 purposes. The hash of this malware loader was not disclosed.\r\nWe subsequently identified malware loaders that we assess are closely related to those observed as part of\r\nOperation ChattyGoblin and are likely part of the same activity cluster – a .NET executable also named\r\nagentupdate_plugins.exe and its variant AdventureQuest.exe .\r\nThis association is based on naming conventions, code, and functional overlaps with the sample described in\r\nESET’s report. Although we cannot conclusively determine whether the agentupdate_plugins.exe we analyzed\r\nis the same as that reported by ESET, we note that one of its VirusTotal submissions is dated March 2023 and\r\noriginates from the Philippines. This aligns with the geolocation of the target and the timeline of the\r\nChattyGoblin-related attack involving agentupdate_plugins.exe .\r\nThe Malware Loaders\r\nagentupdate_plugins.exe and  AdventureQuest.exe  deploy .NET executables based on the SharpUnhooker\r\ntool, which download second-stage data from Alibaba buckets hosted at agenfile.oss-ap-southeast-1.aliyuncs[.]com and codewavehub.oss-ap-southeast-1.aliyuncs[.]com . The second-stage data is stored in\r\npassword-protected zip archives.\r\nThe zip archives downloaded by agentupdate_plugins.exe and AdventureQuest.exe contain sideloading\r\ncapabilities. Each of the archives we were able to retrieve consists of a legitimate executable vulnerable to DLL\r\nsearch order hijacking, a malicious DLL that gets sideloaded by the executable when started, and an encrypted\r\ndata file named agent.data.\r\nThe executables are components of the software products Adobe Creative Cloud, Microsoft Edge, and McAfee\r\nVirusScan. The malicious DLLs masquerade as their legitimate counterparts:  They export functions with the same\r\nnames, such that specific functions, when invoked by the legitimate executables, decrypt and execute code\r\nembedded in the data files. The data files we could retrieve implement Cobalt Strike beacons.\r\nZip archive  Archive content Final payload\r\nadobe_helper.zip\r\n(agentupdate_plugins.exe)\r\nAdobe CEF Helper.exe libcef.dll\r\nagent.data (not available)\r\n/\r\ncefhelper.zip\r\n(AdventureQuest.exe)\r\nidentity_helper.exe msedge_elf.dll\r\nagent.data\r\nCobalt Strike C2:\r\nwww.100helpchat[.]com\r\nAgent_bak.zip\r\n(AdventureQuest.exe)\r\nmfeann.exe LockDown.dll\r\nagent.data\r\nCobalt Strike C2:\r\nlive100heip[.]com\r\nhttps://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/\r\nPage 2 of 8\n\nThe 100helpchat[.]com and live100heip[.]com C2 domains follow the naming convention of the\r\nLiveHelp100 trojanized application used in operation ChattyGoblin, possibly to make malicious network activity\r\nlook like legitimate LiveHelp100 activity.\r\nagentupdate_plugins.exe and AdventureQuest.exe implement geofencing based on the ifconfig.co IP-based\r\ngeolocation service. The loaders are meant to stop their execution if they are run on a machine located in the\r\nUnited States, Germany, France, Russia, India, Canada, or the United Kingdom. This may indicate that the threat\r\nactors have no interest in intrusions in these countries for this campaign. Due to errors in implementation, the\r\ngeofencing fails to work as intended.\r\nStolen Ivacy VPN Certificate\r\nAdventureQuest.exe is signed using a certificate issued to the Ivacy VPN vendor PMG PTE LTD:\r\nThumbprint: 62E990CC0A26D58E1A150617357010EE53186707\r\nSerial number: 0E3E037C57A5447295669A3DB1A28B8A.\r\nIvacy has been present on the market since 2007 and attracts users with low-price offerings.\r\nIt is likely that at some point the PMG PTE LTD singing key has been stolen – a familiar technique of known\r\nChinese threat actors to enable malware signing. VPN providers are critical targets, since they enable threat actors\r\nto potentially gain access to sensitive user data and communications.\r\nAt the time of writing, we have not observed any public statements by PMG PTE LTD clarifying the\r\ncircumstances that have led to the use of their signing keys for signing malware. The DigiCert Certificate\r\nAuthority has revoked the compromised certificate after a public discussion on the issue.\r\nHUI Loader\r\nThe malicious DLLs libcef.dll , msedge_elf.dll , and LockDown.dll distributed by\r\nagentupdate_plugins.exe and AdventureQuest.exe are HUI Loader variants. HUI Loader is a custom malware\r\nloader shared between several China-nexus groups. The loader is executed through sideloading by legitimate\r\nexecutables vulnerable to DLL hijacking and stages a payload stored in an encrypted file. HUI Loader variants\r\nmay differ in implemented payload staging and execution techniques as well as additional functionalities, such as\r\nestablishing persistence and disabling security features.\r\nlibcef.dll , msedge_elf.dll , and LockDown.dll closely resemble HUI Loader variants observed in a string\r\nof cyberespionage and ransomware operations that third parties have linked to APT10, TA410, and BRONZE\r\nSTARLIGHT.\r\nThreat actor Description\r\nBRONZE\r\nSTARLIGHT\r\nAliases: DEV-0401, SLIME34\r\nA China-based ransomware operator active since 2021. The group is known for\r\ndeploying a variety of ransomware families, such as LockFile, AtomSilo, NightSky,\r\nLockBit 2.0, and Pandora, and shares tooling with APT10. BRONZE STARLIGHT’s\r\nhttps://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/\r\nPage 3 of 8\n\nmain goal is suspected to be espionage rather than financial gain, using ransomware as\r\nmeans for distraction or misattribution.\r\nAPT10\r\nAliases: BRONZE\r\nRIVERSIDE,\r\nMenuPass\r\nA China-nexus cyberespionage group active since at least 2009. The group focuses on\r\ntargeting entities considered strategically important by the Chinese state.\r\nTA410\r\nA China-nexus cyberespionage group loosely linked to APT10, tracked as a distinct\r\nentity. The group is mostly known for targeting the US utilities sector and Middle\r\nEastern governments.\r\nAPT10 and TA410 Operations\r\nThe cef_string_map_key function of libcef.dll downloaded by agentupdate_plugins.exe references the\r\nC:\\Users\\hellokety.ini file.\r\nThe cef_string_map_key function\r\nHUI Loader variants with this exact artifact have been reported as part of several cyberespionage operations:\r\nenSilo (now Fortinet) has disclosed cyberespionage activities in Southeast Asia observed in April 2019 and\r\nattributed them with medium confidence to APT10.\r\nResearchers from Macnica, Secureworks, and Kaspersky have presented on A41APT campaign activity\r\nconducted throughout 2021. A41APT is a long-running cyberespionage campaign targeting Japanese\r\ncompanies and their overseas branches. Kaspersky has attributed earlier A41APT activity (from March\r\n2019 to the end of December 2020) with high confidence to APT10. TrendMicro has attributed A41APT\r\nactivity over 2020 and 2021 to a group they track as Earth Tengshe, noting that Earth Tengshe is related to\r\nAPT10 with some differences in employed TTPs.\r\nESET has presented on TA410 activities, noting the hellokety.ini artifact in this context. ESET also\r\nnotes the possibility of misattribution the April 2019 activities reported by Fortinet to APT10 instead of\r\nhttps://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/\r\nPage 4 of 8\n\nTA410.\r\nHUI Loader variants (hellokety.ini) used in APT10 and TA410 operations\r\nBRONZE STARLIGHT Operations\r\nSince around 2021, HUI Loader variants have been deployed in operations involving the ransomware families\r\nLockFile (Symantec, 2021; NSFOCUS, 2021), AtomSilo (Sophos, 2021), NightSky (Microsoft, 2021), LockBit\r\n2.0 (SentinelLABS, 2022), and Pandora (TrendMicro, 2022). Some of these operations have been attributed to\r\nBRONZE STARLIGHT by the organizations disclosing them and all of them collectively by Secureworks. All of\r\nthese ransomware families have been noted by Microsoft as being part of the BRONZE STARLIGHT arsenal in\r\ntime intervals aligning with those of the previously mentioned operations.\r\nC2 Infrastructure\r\nThe Cobalt Strike C2 GET and POST URIs associated with the Operation ChattyGoblin domain\r\nduckducklive[.]top contain /functionalStatus and /rest/2/meetings , respectively. Their uncommon full\r\nforms closely resemble those observed by Secureworks in AtomSilo, Night Sky, and Pandora operations they\r\nattribute to BRONZE STARLIGHT. The researchers reported that, as of June 2022, they had not seen this Cobalt\r\nStrike configuration associated with other ransomware families. The threat actors have likely adapted a public\r\nCobalt Strike malleable C2 profile available in a Github repository of the user xx0hcd .\r\nCobalt Strike C2 POST URI Relation\r\n/rest/2/meetingsmCRW64qPFqLKw7X56lR41fx Operation ChattyGoblin\r\n/rest/2/meetingsVDcrCtBuGm8dime2C5zQ3EHbRE156AkpMu6W AtomSilo\r\n/rest/2/meetingsQpmhJveuV1ljApIzpTAL Night Sky\r\n/rest/2/meetingsKdEs85OkdgIPwcqbjS7uzVZKBIZNHeO4r5sKe Pandora\r\nhttps://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/\r\nPage 5 of 8\n\nThe C2 GET and POST URIs associated with the www.100helpchat[.]com and live100heip[.]com domains we\r\nobserved contain /owa followed by character strings. The format of these strings resembles those in the URIs\r\nassociated with duckducklive[.]top and also those reported in past BRONZE STARLIGHT activities. It is\r\nlikely that the threat actors have adapted another open source Cobalt Strike malleable C2 profile, which is also\r\navailable in a Github repository of the user xx0hcd .\r\nDomain Cobalt Strike C2 URIs\r\nlive100heip[.]com\r\nGET: /owa/Z7bziD-BDtV9U1aLS9AhW4jyN1NEOelTEi\r\nPOST: /owa/LAC9kgQyM1HD3NSIwi–mx9sHB3vcmjJJm\r\nwww.100helpchat[.]com\r\nGET: /owa/aLgnP5aHtit33SA2p2MenNuBmYy\r\nPOST: /owa/XF0O-PjSCEslnDo51T0K4TOY\r\nThe Cobalt Strike profiles associated with the duckducklive[.]top , www.100helpchat[.]com , and\r\nlive100heip[.]com domains share a C2 port number ( 8443 ) and a watermark ( 391144938 ). The earliest\r\nrecord of duckducklive[.]top becoming active is dated 24 Feb 2023. The earliest records of\r\nlive100heip[.]com and 100helpchat[.]com becoming active are dated 24 Feb 2023 (overlapping with that of\r\nduckducklive[.]top ) and 28 Feb 2023, respectively.\r\nThe three domains are each hidden behind CloudFlare, who were quick in remediation after we reported the\r\nservice abuse. In this case, however, the actors revealed their true-hosting locations due to an OPSEC mistake in\r\ntheir initial deployment of the domain’s SSL certificates on their Alibaba Cloud hosting servers at\r\n8.218.31[.]103 , 47.242.72[.]118 , and 47.242.159[.]242 .\r\nCertificates use on Alibaba IPs\r\nWhile the analysis of the Cobalt Strike profiles provides links to previous BRONZE STARLIGHT activities, an\r\nassessment of the specific group attribution based on current intelligence should be treated with caution. It is\r\nnoteworthy that Chinese cyber espionage threat actors are progressively refining their operational tactics in\r\nmanners that obfuscate clear attribution through publicly available intelligence sources alone.\r\nhttps://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/\r\nPage 6 of 8\n\nTo illustrate this concept, consider the scenario where a broader array of domains imitating various brands may be\r\ninterconnected, such as those publicly documented involving the BRONZE STARLIGHT, TA410, and APT10\r\nthreat actors. Examples include microsofts[.]net , microupdate[.]xyz , microsofts[.]info ,\r\nmicrosofts[.]org , miscrosofts[.]com , microsofts[.]com , kaspresksy[.]com , t encentchat[.]net , and\r\nmicrosoftlab[.]top .\r\nConclusion\r\nChina-nexus threat actors have consistently shared malware, infrastructure, and operational tactics in the past, and\r\ncontinue to do so. The activities this post discusses illustrate the intricate nature of the Chinese threat landscape.\r\nBetter understanding of this landscape is essential for keeping up with its dynamics and improving defense\r\nstrategies. Achieving this necessitates consistent collaborative and information sharing efforts. SentinelLABS\r\nremains dedicated to this mission and continues to closely monitor related threats.\r\nIndicators of Compromise\r\nFiles (SHA1)\r\nIndicator Description\r\n09f82b963129bbcc6d784308f0d39d8c6b09b293 agentupdate_plugins.exe\r\n1a11aa4bd3f2317993cfe6d652fbe5ab652db151 LockDown.dll\r\n32b545353f4e968dc140c14bc436ce2a91aacd82 mfeann.exe\r\n4b79016d11910e2a59b18275c786682e423be4b4 Adobe CEF Helper.exe\r\n559b4409ff3611adaae1bf03cbadaa747432521b identity_helper.exe\r\n57bbc5fcfd97d25edb9cce7e3dc9180ee0df7111 agentdata.dat\r\n6e9592920cdce90a7c03155ef8b113911c20bb3a AdventureQuest.exe\r\n76bf5ab6676a1e01727a069cc00f228f0558f842 agentdata.dat\r\n88c353e12bd23437681c79f31310177fd476a846 libcef.dll\r\n957e313abaf540398af47af367a267202a900007 msedge_elf.dll\r\nSecond-Stage Data URLs\r\nhttps[://]agenfile.oss-ap-southeast-1[.]aliyuncs.com/agent_source/temp1/cefhelper.zip\r\nAdventureQuest.exe\r\nhttps://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/\r\nPage 7 of 8\n\nhttps[://]agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp2/agent_bak.zip\r\nAdventureQuest.exe\r\nhttps[://]agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp3/adobe_helper.zip\r\nagentupdate_plugins.exe\r\nhttps[://]codewavehub.oss-ap-southeast-1.aliyuncs[.]com/org/com/file/CodeVerse.zip\r\nAdventureQuest.exe\r\nC2 Domains\r\nwww.100helpchat[.]com Cobalt Strike\r\nlive100heip[.]com Cobalt Strike\r\nC2 IP Addresses\r\n8.218.31[.]103 Cobalt Strike\r\n47.242.72[.]118 Cobalt Strike\r\nSource: https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/\r\nhttps://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/" ], "report_names": [ "chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434208, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b9e3028aa01afb5984e7e1796b5914dd7f40309c.pdf", "text": "https://archive.orkl.eu/b9e3028aa01afb5984e7e1796b5914dd7f40309c.txt", "img": "https://archive.orkl.eu/b9e3028aa01afb5984e7e1796b5914dd7f40309c.jpg" } }