{ "id": "b754c6b5-c034-439b-8b95-af4bec324177", "created_at": "2026-04-06T00:22:30.204178Z", "updated_at": "2026-04-10T03:32:46.201098Z", "deleted_at": null, "sha1_hash": "bb9e7f082e1de2b251b846ad6bd268547b7aadc6", "title": "Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3514264, "plain_text": "Suspected KEYPLUG Infrastructure: TLS Certificates and\r\nGhostWolf Links\r\nPublished: 2025-01-23 ยท Archived: 2026-04-05 18:59:19 UTC\r\nUpdate: Changes in 'Support_1024' Certificate Field\r\nSince our initial analysis, the 'Support_1024' field, which previously stood out in KeyPlug-related activity, has\r\nnow been incorporated into WolfSSL's standard server PEM file (server.pem) published on GitHub. As a result,\r\ncertificate-based detection methods that relied on this field are no longer a reliable indicator of KeyPlug\r\ninfrastructure.However, we are continuing to track GhostWolf activity using additional methods beyond TLS\r\ncertificate indicators, ensuring that our detection remains robust despite this change.\r\nTracking the infrastructure threat actors use is essential in identifying their operations, past and present, and\r\ngaining insights into their operational preferences. Defenders and researchers can trace attacks and anticipate\r\nfuture activity by analyzing the digital breadcrumbs left behind on servers, such as TLS certificates and server\r\nconfigurations.\r\nIn March 2023, Recorded Future's Insikt Group published a report detailing a cluster of network infrastructure\r\nassociated with KEYPLUG, which they attributed to a suspected Chinese state-sponsored actor tracked by the\r\ncompany as RedGolf. The group is also referred to as APT41, BARIUM, and Earth Baku, among other aliases.\r\nInsikt Group uses the designation \"GhostWolf\" to describe this particular infrastructure set.\r\nBuilding on these findings, we examined the IP addresses in the report's IoC section to identify pivots and uncover\r\nevidence of ongoing activity. Our research revealed overlaps with recently reported operations, including\r\nKEYPLUG activity targeting Italian organizations in mid-2024. This post will shed light on how looking into\r\nhistorical TLS certificates can uncover renewed activity by the original threat actor or attempts by another group\r\nseeking to imitate their operations.\r\nHistorical Context and the Anomaly\r\nOur starting point in researching this activity relied on the IoC section of the report mentioned above. which listed\r\n39 IPs associated with the GhostWolf infrastructure. We queried each IP in the Hunt app to identify commonalities\r\nthat would aid in tracking more recent servers. One key data point surfaced again and again: the presence of a\r\nwolfSSL certificate found under the SSL History tab.\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 1 of 14\n\nFigure 1: The certificate that started our research into this infrastructure. (Hunt)\r\nwolfSSL is a lightweight, open-source SSL/TLS library designed for secure communications, particularly in\r\nembedded systems and RTOS environments. The certificate identified as belonging to the GhostWolf cluster\r\nclosely mirrors the example certificates provided on the wolfSSL GitHub repository. Specifically, the server\r\nadministrator opted for the 1024-bit version, although larger key sizes like 2048-bit are also available.\r\nThe example certificate hosted in the repo is displayed below.\r\nFigure 2: Snippet of ca-cert.pem for the wolfSSL library. (GitHub)\r\nIf you look too quickly, you may think the fields of the malicious certificate are identical to those in the above\r\nscreenshot. However, a subtle but critical difference in the Organizational Unit (OU) fields is visible upon closer\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 2 of 14\n\ninspection. The legitimate example certificate uses \"Consulting_1024\" for both the Issuer and Subject, while the\r\nservers found by Insikt Group change this field to \"Support_1024.\"\r\nFigure 3: \"Support_1024\" OU field differentiating from the example certificate. (Hunt)\r\nThis small configuration change not only modifies the certificate's original SHA-256 hash but also produces a\r\ndistinct JA4X fingerprint. As we'll discuss in the next section, these characteristics, combined with other\r\nindicators, allow us to identify newly deployed servers while filtering out those associated with the legitimate\r\ntesting certificate.\r\nLeveraging Hunt for TLS Certificate Analysis\r\nNow that we've explored the GhostWolf infrastructure and the unique certificate configuration that led to our\r\nfindings let's examine how Hunt's SSL History tools--specifically \"Certificate IPs\"--enable a deeper understanding\r\nof related servers and help build our search queries.\r\nPivoting With Certificate IPs\r\nRevising the initial screenshot, users can click the Certificate IPs button next to a certificate of their choice to\r\nview a detailed history. For example, the certificate in question with SHA-256 hash\r\n4C1BAA3ABB774B4C649C87417ACAA4396EBA40E5028B43FADE4C685A405CC3BF is currently\r\nassociated with 122 IP addresses according to our scan data.\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 3 of 14\n\nFigure 4: Snippet of the returned IPs sharing the same suspicious certificate. (Hunt)\r\nThe historical data includes many IPs from the RedGolf report, confirming that this hash is likely linked to the\r\nreported KEYPLUG activity and validating our approach to tracking this infrastructure.\r\nIf you haven't already, we highly recommend reading the entire PDF produced by the Insikt Group to learn\r\nadditional insights into hosting provider preferences and server locations.\r\nWe won't be analyzing all 122 results here. Instead, later in this post, we will focus on the most recent IPs returned\r\nfrom our query, along with a small group of closely assigned servers overlapping with an indicator noted in\r\nYoroi's 2024 blog post.\r\nJA4X Fingerprints\r\nWhen creating queries to search for adversary infrastructure, relying on a single data point is insufficient and a\r\nwaste of time. To further refine the returned results, we'll turn to JA4X, integrated within the Hunt app on the\r\ncertificate data page.\r\nIf you're unfamiliar with JA4X, it's part of the JA4+ fingerprinting suite and an extension of the JA3 TLS\r\nfingerprinting method], designed to create more precise fingerprints by including additional metadata. This\r\nenhancement improves the detection of malicious or anomalous connections.\r\nExamining the data for this certificate, we found that only 41 servers shared the JA4X fingerprint\r\nc9d784bbb12e_c9d784bbb12e_83900cc62ac7 . This suggests a significant degree of similarity in how these servers\r\nare configured or managed, indicating they are under the control of the same threat actor.\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 4 of 14\n\nFigure 5: Screenshot of the JA4X fingerprint and issued/expired dates. (Hunt)\r\nAt this point, we have identified multiple unique indicators tied to the certificate, including:\r\nThe anomalous OU field: Support_1024 .\r\nThe SHA-256 hash of the certificate.\r\nThe JA4X fingerprint: c9d784bbb12e_c9d784bbb12e_83900cc62ac7 .\r\nThe more precise and targeted our query is, the more effectively we can narrow down results to a manageable set\r\nfor further investigation. In the next section, we'll use Hunt's Advanced Search feature to see how many servers\r\nare still active.\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 5 of 14\n\nOngoing Activity\r\nWith all the necessary data points identified, we can now craft a search query to pinpoint likely GhostWolf servers\r\nthat are still active. Given that we have both a JA4X fingerprint and an SHA-256 hash, we'll use JA4X for this\r\nsearch, as it provides more granular insights into handshake behavior, cipher suites, and other specific\r\nconfiguration details. Additionally, we'll include certificates with the Organizational Unit (OU) field set to\r\nSupport_1024, as this appears to be a consistent marker for this cluster of IP addresses.\r\nUsing Hunt's Advanced Search feature, we crafted the following query in SQL syntax:\r\nja4x:c9d784bbb12e_c9d784bbb12e_83900cc62ac7\r\nAND\r\nsubject.organizational_unit:\"Support_1024\"\r\n \r\nCopy\r\nThe above resulted in just six IP addresses, with the earliest detection by our network scans dating back to 2023.\r\nFigure 6: Advanced Search results in Hunt for the Support_1024 certificate.\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 6 of 14\n\nRecent Activity and Observations\r\nA few of the servers in the above figure were deployed within the past week, while others have remained active\r\nfor varying durations. Port 443, usually HTTPS, is the most popular.\r\nPublic reporting on KEYPLUG highlights its support for various protocols, including HTTP/S, TCP, WSS, and\r\nKCP over UDP. For the servers running on port 443, scan data revealed responses of either TLS or\r\nTCPWRAPPED. Further examination of port history indicates that some IPs also hosted WebSocket or raw TCP\r\nservers during overlapping periods.\r\nHosted on port 8443 of ``154.31.217[.]200```, is what we believe (thanks to discussions with friends of Hunt) to\r\nbe an HTTPS-based KEYPLUG C2 server that we have been tracking for some time.\r\nFigure 7: Screenshot of Hunt Active C2s page for KEYPLUG.\r\nTable 1 below depicts the hosting provider and geolocation information for the six IPs identified in our query:\r\nIP Address Hosting Provider Location\r\n149.28.131[.]126 The Constant Company, LLC SG\r\n65.20.79[.]156 The Constant Company, LLC IN\r\n154.31.217[.]200 Nebula Global LLC HK\r\n149.28.130[.]130 The Constant Company, LLC SG\r\n108.61.159[.]145 The Constant Company, LLC US\r\n67.43.234[.]150 GloboTech Communications CA\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 7 of 14\n\nTable 1: Advanced Search results.\r\nIn May 2024, Yoroi published a blog post on a suspected APT41 intrusion into Italian organizations, noting an IoC\r\nfor IP address 67.43.234[.]146:443 communicating over the QUIC protocol. This is a closely assigned server to\r\none of the results above in Table 1, 67.43.234[.]150. Reviewing the SSL History Certificate IPs in Hunt revealed\r\ntwo additional adjacent IPs- 67.43.234[.]147 and 67.43.234[.]148 -active from March 27, 2023, to December\r\n23, 2024.\r\nThis pattern of connected servers assigned in close groups aligns with reporting on GhostWolf infrastructure as a\r\ncommon acquisition method.\r\nWhile we, unfortunately, have no malware samples available to confirm direct connections between the IPs in the\r\ntable and those mentioned in Yoroi's post, the overlaps and similarities to the acknowledged GhostWolf server\r\nwarrant further investigation and monitoring.\r\nFigure 8: Screenshot of historical associations showing closely assigned IP addresses overlapping with previous\r\nreporting. (Hunt)\r\nA GhostWolf Variant?\r\nWhile investigating additional servers associated with the JA4X fingerprint, we identified another certificate\r\n(SHA-256 Fingerprint: 3d4a60efbfbd4d3eefbfbd62efbfbd0d51efbfbd53efbfbd1a6731efbfbd7fefbfbd1174efbfbd )\r\non 114.55.6[.]216 , which remains active at the time of writing. Unlike the other certificates using\r\nSupport_1024, this one resembles the example certificate on the wolfSSL GitHub repo. However, the Issued On\r\ndate and time are identical to our findings above, suggesting a possible connection.\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 8 of 14\n\nFigure 9: Screenshot of certificate data showing Issued On overlaps with previous findings. (Hunt)\r\nAlthough we cannot conclusively link this server to RedGolf activity, its hosting provider, geographic location\r\n(Aliyun Computing Co., LTD, CN), and observed port usage align with previously reported command and control\r\ninfrastructure.\r\nAs we've seen throughout this blog post, analysis of TLS certificates, no matter how old, and their associated\r\nfingerprints can reveal potential connections worth investigating. Below, we'll summarize our findings and outline\r\nkey takeaways for continued research and defense.\r\nConclusion\r\nThe reuse of modified certificate and server configurations over extended periods, coupled with consistent hosting\r\nprovider preferences and consecutive IP assignments, suggests the ongoing activity of this threat actor. Whether\r\nthis infrastructure is tied to RedGolf/APT41 or another group with access to the certificates remains uncertain.\r\nStill, the patterns observed and the recency of new servers being spun up warrant closer attention.\r\nThe above underscores the value of tracking certificates within your environments for defenders.\r\nRecommendations include:\r\nMonitoring environments for certificates with unusual or suspicious fields, such as altered Organizational\r\nUnit (OU) values or unexpected issue dates.\r\nIncorporating TLS fingerprinting methods like the JA4+ suite into detection workflows to identify\r\nsuspicious patterns in network traffic.\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 9 of 14\n\nThese basic steps can assist users in detecting suspicious infrastructure more effectively, even when threat actors\r\nattempt to blend in the noise.\r\nNetwork Observables and Indicators of Compromise (IOCs)\r\nIP Address Hosting Provider Location\r\n149.28.131[.]126 The Constant Company, LLC SG\r\n65.20.79[.]156 The Constant Company, LLC IN\r\n154.31.217[.]200 Nebula Global LLC HK\r\n149.28.130[.]130 The Constant Company, LLC SG\r\n108.61.159[.]145 The Constant Company, LLC US\r\n67.43.234[.]150 GloboTech Communications CA\r\n114.55.6[.]216 Aliyun Computing Co., LTD CN\r\nHistorical Network Observables and IOCs\r\nIP Address Hosting Provider Location\r\n18.142.162[.]202 Amazon Data Services Singapore SG\r\n8.209.255[.]168 Shiodome Sumitomo Blog 1-9-2 TOKYO JP\r\n3.1.206[.]135 Amazon Data Services Singapore SG\r\n8.218.156[.]56 Alibaba.com Singapore E-Commerce Private Limited HK\r\n47.92.204[.]81 Aliyun Computing Co., LTD CN\r\n43.201.51[.]16 Amazon.com, Inc. KR\r\n45.137.10[.]37 XNNET LLC HK\r\n103.226.155[.]96 Shenzhen Katherine Heng Technology Information Co., Ltd. HK\r\n103.234.96[.]167 Shenzhen Katherine Heng Technology Information Co., Ltd. HK\r\n173.209.62[.]186 MonoVM.com CA\r\n173.209.62[.]188 MonoVM.com CA\r\n173.209.62[.]189 MonoVM.com CA\r\n173.209.62[.]190 MonoVM.com CA\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 10 of 14\n\nIP Address Hosting Provider Location\r\n202.79.173[.]220 CTG Server Ltd. HK\r\n202.79.173[.]228 CTG Server Ltd. HK\r\n209.141.36[.]195 BuyVM Services US\r\n36.255.220[.]179 ZL HKG UCLOUD 0001 HK\r\n13.250.182[.]175 Amazon Data Services Singapore SG\r\n18.142.113[.]169 Amazon Data Services Singapore SG\r\n5.188.34[.]87 G-Core Labs S.A. SG\r\n38.55.24[.]53 KURUN CLOUD INC US\r\n202.79.173[.]211 CTG Server Ltd. HK\r\n39.106.32[.]186 Aliyun Computing Co., LTD CN\r\n8.213.131[.]120 Alibaba.com Singapore E-Commerce Private Limited KR\r\n209.141.36[.]195 BuyVM Services US\r\n18.143.183[.]217 Amazon Data Services Singapore SG\r\n18.163.6[.]115 Amazon Data Services Hong Kong HK\r\n54.151.200[.]128 Amazon Data Services Singapore SG\r\n13.214.160[.]122 Amazon Data Services Singapore SG\r\n43.130.61[.]252 6 COLLYER QUAY US\r\n13.214.203[.]53 Amazon Data Services Singapore SG\r\n3.0.139[.]139 Amazon Data Services Singapore SG\r\n3.38.151[.]172 AWS Asia Pacific (Seoul) Region KR\r\n13.209.204[.]54 AWS Asia Pacific (Seoul) Region KR\r\n173.209.62[.]187 MonoVM.com CA\r\n13.228.200[.]171 Amazon Data Services Singapore SG\r\n45.137.10[.]166 XNNET LLC HK\r\n13.124.47[.]148 AWS Asia Pacific (Seoul) Region KR\r\n139.180.211[.]30 SGP_VULTR_CUST SG\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 11 of 14\n\nIP Address Hosting Provider Location\r\n8.219.191[.]81 Alibaba.com Singapore E-Commerce Private Limited SG\r\n51.79.177[.]23 OVH Singapore PTE. LTD SG\r\n88.218.192[.]22 XNNET LLC HK\r\n15.168.60[.]114 Amazon Data Services Osaka JP\r\n103.244.148[.]80 Shenzhen Katherine Heng Technology Information Co., Ltd. HK\r\n67.43.228[.]18 GloboTech Communications CA\r\n67.43.228[.]19 GloboTech Communications CA\r\n67.43.228[.]20 GloboTech Communications CA\r\n67.43.228[.]21 GloboTech Communications CA\r\n67.43.228[.]22 GloboTech Communications CA\r\n45.148.244[.]220 Perviy TSOD LLC RU\r\n202.182.121[.]16 TYO_VULTR_CUST JP\r\n154.12.87[.]168 Cogent Communications US\r\n13.214.172[.]25 Amazon Data Services Singapore SG\r\n103.226.155[.]98 Shenzhen Katherine Heng Technology Information Co., Ltd. HK\r\n64.176.50[.]30 The Constant Company, LLC JP\r\n64.176.51[.]12 The Constant Company, LLC JP\r\n65.20.84[.]44 Vultr Holdings LLC IN\r\n65.20.78[.]204 Vultr Holdings LLC IN\r\n47.245.60[.]81 ALICLOUD-JP JP\r\n8.222.243[.]185 Alibaba.com Singapore E-Commerce Private Limited SG\r\n139.180.153[.]109 The Constant Company, LLC SG\r\n139.180.213[.]58 The Constant Company, LLC SG\r\n45.32.101[.]56 The Constant Company, LLC SG\r\n103.146.230[.]130 Sichuan Zhonghe Network Technology Co., Ltd. HK\r\n67.43.234[.]149 MonoVM.com CA\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 12 of 14\n\nIP Address Hosting Provider Location\r\n103.146.230[.]165 Sichuan Zhonghe Network Technology Co., Ltd. HK\r\n47.245.99[.]137 Alibaba.com LLC US\r\n8.222.220[.]3 Alibaba.com Singapore E-Commerce Private Limited SG\r\n103.146.230[.]183 Sichuan Zhonghe Network Technology Co., Ltd. HK\r\n65.20.79[.]14 Vultr Holdings LLC IN\r\n158.247.234[.]25 The Constant Company, LLC KR\r\n205.185.121[.]28 FranTech Solutions US\r\n43.249.36[.]84 LeaseWeb Asia Pacific - Hong Kong HK\r\n66.42.49[.]65 SGP_VULTR_CUST SG\r\n158.247.245[.]229 The Constant Company, LLC KR\r\n139.180.188[.]174 SGP_VULTR_CUST SG\r\n65.20.70[.]52 Vultr Holdings LLC IN\r\n158.247.203[.]247 The Constant Company, LLC KR\r\n154.92.16[.]198 Guangzhou Yisu Cloud Limited HK\r\n207.148.71[.]45 SGP_VULTR_CUST SG\r\n45.76.150[.]120 Vultr Holdings, LLC SG\r\n158.247.253[.]114 The Constant Company, LLC KR\r\n139.180.145[.]193 SGP_VULTR_CUST SG\r\n139.180.189[.]81 SGP_VULTR_CUST SG\r\n64.176.83[.]46 The Constant Company, LLC SG\r\n158.247.251[.]91 The Constant Company, LLC KR\r\n45.32.125[.]90 Vultr Holdings, LLC SG\r\n65.20.69[.]6 Vultr Holdings, LLC IN\r\n45.77.34[.]88 Vultr Holdings, LLC SG\r\n65.20.78[.]223 Vultr Holdings, LLC IN\r\n139.84.175[.]197 The Constant Company, LLC IN\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 13 of 14\n\nIP Address Hosting Provider Location\r\n111.180.200[.]74 CHINANET HUBEI PROVINCE NETWORK CN\r\nSource: https://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nhttps://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity" ], "report_names": [ "keyplug-infrastructure-tls-certificates-ghostwolf-activity" ], "threat_actors": [ { "id": "7936e2f8-5179-414a-8b57-530c28062f26", "created_at": "2023-04-27T02:04:45.231554Z", "updated_at": "2026-04-10T02:00:04.87247Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "ETDA:RedGolf", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "ELFSHELF", "KEYPLUG", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f799b96d-bc59-4b35-ae5c-dfe87e5b735b", "created_at": "2023-04-26T02:02:01.286476Z", "updated_at": "2026-04-10T02:00:03.363506Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "MISPGALAXY:RedGolf", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434950, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb9e7f082e1de2b251b846ad6bd268547b7aadc6.pdf", "text": "https://archive.orkl.eu/bb9e7f082e1de2b251b846ad6bd268547b7aadc6.txt", "img": "https://archive.orkl.eu/bb9e7f082e1de2b251b846ad6bd268547b7aadc6.jpg" } }