{ "id": "d7eeb34c-8220-4cc9-a3ab-b0db9008761b", "created_at": "2026-04-06T00:15:05.181677Z", "updated_at": "2026-04-10T03:33:45.598174Z", "deleted_at": null, "sha1_hash": "bcf3c65090d3ee31cb5a7fd3e0d3d0a05459003c", "title": "The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3048367, "plain_text": "The Endless Struggle Against APT10: Insights from LODEINFO\r\nv0.6.6 - v0.7.3 Analysis\r\nPublished: 2024-01-24 · Archived: 2026-04-05 20:28:37 UTC\r\nWhat is the LODEINFO malware?\r\nAnalysis of LODEINFO\r\nThe infection flow\r\nUpdate of the Downloader Shellcode\r\nRemote Template Injection\r\nMaldoc\r\nVBA code embedded in Maldoc\r\nMicrosoft Office language check\r\nThe Downloader Shellcode\r\nFake PEM file decryption\r\nDeployment of LODEINFO Backdoor Shellcode loaded into Memory\r\nSimilarities with the known downloader DOWNIISSA\r\nLODEINFO Backdoor Shellcode\r\nAttacker infrastructure\r\nSummary\r\nIoCs\r\nThis post is also available in: 日本語\r\nWhat is the LODEINFO malware?\r\nLODEINFO is a fileless malware that has been observed in campaigns that start with spear-phishing emails since\r\nDecember 2019. The infection is known to occur when a user opens a malicious Word file (hereafter Maldoc)\r\nattached to the spear-phishing email. (Excel files were also abused in the early days.)\r\nAccording to information released by security vendors, APT campaigns using LODEINFO target Japanese media,\r\ndiplomacy, public institutions, defense industries, and think tanks. It is also suggested that the infamous APT\r\ngroup called APT10 is involved given the similarities in their methods and malwares.\r\nLODEINFO malware: published information up to 2022\r\n• APT10 HUNTER RISE ver3.0: Repel new malware LODEINFO, DOWNJPIT and LilimRAT\r\n• APT10: Tracking down LODEINFO 2022, part I\r\n• Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities\r\n• Fighting to LODEINFO: Investigation for Continuous Cyberespionage Based on Open Source\r\n• LODEINFO, a malware targeting organizations in Japan\r\n• The evolution of LODEINFO malware\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 1 of 16\n\nAttacks using LODEINFO have continued in 2023, with multiple versions of the malware being discovered. The\r\nmalware is still being actively developed, as evidenced by the frequency of its version updates.\r\nFigure 1. Evolution of LODEINFO\r\nFor information on version updates prior to September 2022, please refer to the following article:\r\nAPT10: Tracking down LODEINFO 2022, part II\r\nWe analyzed each version of the LODEINFO malware and identified changes.\r\nBased on our analysis, the malware has been updated with new features, as well as changes to the anti-analysis\r\n(analysis avoidance) techniques and the implementation of new features. This suggests that the attackers are\r\nfocusing on concealing their Tactics, Techniques, and Procedures (TTPs), including malware.\r\nDue to the limited information on the detection, it is likely to expect that the detection of LODEINFO is becoming\r\ndifficult. In 2023, only a limited number of LODEINFO samples were discovered, and the results of their\r\ninvestigation and analysis were not widely made public.\r\nAs of the publication of this post (January 24, 2024), we have observed a new version of LODEINFO, v0.7.3. In\r\nthis article, we will detail the updates made to LODEINFO that have been observed from the end of 2022 to\r\nJanuary 2024, including v0.7.3.\r\nThe infection flow\r\nThe following is the infection flow of LODEINFO that was observed in 2023. It shows some changes from the\r\nprevious versions.\r\nUpdate of the Downloader Shellcode\r\nThe initial infection path is the same as previous versions. The Infection starts from malicious Word document\r\n(Maldoc), LODEINFO is eventually injected into memory leading infection.\r\nIn 2023, the VBA code in this Maldoc was updated. Specifically, VBA code that embedded Downloader\r\nShellcodes for both 32-bit and 64-bit was added, and the appropriate shellcode is selected depending on the target\r\nenvironment.\r\nThe adoption of 64-bit architecture in Windows OS is a challenge for many organizations, and LODEINFO is also\r\nlikely to have changed to adapt to 64-bit architecture.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 2 of 16\n\nFigure 2. New infection flow implemented since LODEINFO v0.6.8\r\nThe changes in the infection flow were implemented from v0.6.8 to v0.7.1 observed in 2023 or the later versions.\r\nRemote Template Injection\r\nIn LODEINFO v0.6.9, we have also observed more complex cases that use Remote Template Injection in the\r\ninfection flow described above.\r\nWhat is Remote Template Injection?\r\nMicrosoft Word has a \"template\" feature that allows users to create files based on templates created by\r\nother users. When a Word file that a template inserted is opened, the template is downloaded from the\r\nlocal or remote machine.\r\nUsing the above \"template\" feature, an attacker can host a Word template file (.dotm) containing\r\nmalicious Macros on their server and have the malicious template be retrieved and executed from the\r\nattacker's server every time the victim opens a Word file that contains the template.\r\nA Word file using Remote Template Injection is opened, it downloads and reads the template from the attacker's\r\nC2 server.\r\nThe downloaded template is malware that is equivalent to the Maldoc mentioned above, and it contains VBA code\r\nwith the Downloader Shellcode embedded. This eventually calls the LODEINFO main body. The following is an\r\nimage of the infection flow with Remote Template Injection added.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 3 of 16\n\nFigure 3. Infection flow with Remote Template Injection added\r\nThe attached Word file itself only reads the template, making it difficult to detect as malicious activity. This\r\ntechnique is likely intended to evade detection by security products.\r\nTo further analyze the structure of the Word file using Remote Template Injection, we can check the contents of\r\nthe \\word\\_rels\\settings.xml.rels file in the word file. This will show that the file is designed to read the\r\ntemplate file https://45.76.222[.]130/template.dotm .\r\nFigure 4. Word file’s structure that uses Remote Template Injection\r\nMaldoc\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 4 of 16\n\nNext, we will introduce the VBA included in Maldoc.\r\nVBA code embedded in Maldoc\r\nThe VBA code embedded in Maldoc contains both 64-bit and 32-bit Downloader Shellcodes.\r\nFigure 5. Part of the VBA code embedded in Maldoc\r\nThe Macro first checks the OS architecture of the target device and then executes the Downloader Shellcode that\r\nmatches that architecture.\r\nEach Downloader Shellcode is encoded using Base64 and separated as many split parts. This is thought to be a\r\ntechnique to evade detection by security products.\r\nWhen the Macro is executed, after the split parts are reassembled, the Shellcode decoded using Base64 is injected\r\ninto memory.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 5 of 16\n\nFigure 6. Reassemble the Base64-encoded and split Shellcode\r\nMicrosoft Office language check\r\nThe code to check the language settings of Microsoft Office was deployed in the v0.7.0 Maldoc. The sample we\r\nconfirmed checks whether the Office setting is Japanese or not. This is thought to be created to operate only in the\r\ntarget language environment.\r\nInterestingly, this feature was removed by the attacker in v0.7.1. In addition, the filename of the Maldoc itself has\r\nbeen changed from Japanese to English. From this, we believe that v0.7.1 was likely used to attack environments\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 6 of 16\n\nin languages other than Japanese.\r\nThe Downloader Shellcode\r\nThe Downloader Shellcode used in LODEINFO v0.7.1 is a malware that downloads and decrypts a file disguised\r\nas a PEM file (hereinafter referred to as Fake PEM) from the C2 server, and finally creates files to infect with\r\nLODEINFO.\r\nThe Shellcode itself is a very simple downloader, so we will share the analysis results of the process of decrypting\r\ndata from the Fake PEM file.\r\nWhat is a PEM file?\r\nAn abbreviation for Privacy Enhanced Mail file.\r\nOne of the file formats for keys and certificates used in public key infrastructure (PKI). Originally\r\ncreated to improve the security of email, it is now the standard for internet security.\r\nPEM files are used in the settings of web servers, email servers, and secure communication protocols\r\n(such as HTTPS).\r\nFake PEM file decryption\r\nThe Downloader Shellcode downloads the Fake PEM file from the C2 server. The file is then decrypted using the\r\nfollowing steps:\r\n1. The header and footer of the Fake PEM file are removed.\r\n2. The data from step 1 is decoded using Base64.\r\n3. The first 3 bytes of the data decoded in step 2 are removed.\r\n4. An HMAC is generated using the SHA1 hash algorithm from the password hardcoded in the Download\r\nShellcode.\r\n5. The HMAC generated in step 4 is used as the key for AES, and the data from step 3 is decrypted using\r\nAES.\r\n6. The data decrypted in step 5 is further decoded using a single-byte XOR key.\r\nWhat is HMAC (Hash-based Message Authentication Code)?\r\nA code and technique for ensuring the integrity and authenticity of a message using a one-way hash\r\nfunction. It is widely used in secure communications where it is necessary to verify the sender of the\r\ndata or that the data has not been tampered with in transit.\r\nThe passwords were hardcoded in the samples we investigated in the following format. If this password is not\r\navailable, even if the Fake PEM file is successfully obtained, it is extremely difficult to decrypt the subsequent\r\ndata.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 7 of 16\n\nFigure 8. Hardcoded passwords required to decrypt the Fake PEM file\r\nDeployment of LODEINFO Backdoor Shellcode loaded into Memory\r\nThe data decrypted in step 6 is designed with a unique data structure. Objects such as the malicious Frau.dll are\r\nembedded in it for use in the next step. We will explain the details of the structure.\r\nFigure 9. Structure of the data restored from the Fake PEM file\r\nThe restored data contains the following multiple objects:\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 8 of 16\n\nElze.exe\r\nFrau.dll\r\nElze.exe_bak\r\nEach object is created in a file by the Downloader Shellcode and installed on the infected endpoint. Then,\r\nElze.exe is executed. Elze.exe itself is a legitimate file, but it loads the malicious Frau.dll using DLL side-loading. Frau.dll is a very simple malware that loads the LODEINFO Backdoor Shellcode as a payload into\r\nmemory.\r\nHowever, in v0.6.6, v0.6.8, and v0.6.9, obfuscation is further strengthened by using Control-Flow Flattening\r\n(CFF) and Junk code. As you can see in the figure below, the left side of the program flow is very complex. The\r\ncode on the right side of the figure is the part of corresponding code, but most of the code is filled with CFF\r\n(yellow) and Junk code (gray), and only a small amount of malicious code (white) is actually used. This also\r\nsuggests that the attacker is focusing on obstructing analysis.\r\nFigure 10. Example of a program flow and code obfuscated by CFF and Junk code.\r\nFinally, the Elze.exe_bak file, which is data with the LODEINFO Backdoor Shellcode encoded with a single-byte XOR, is read by Frau.dll and decoded as a payload.\r\nWhat is Control-Flow Flattening?\r\nA technique for making the structure of a program difficult to understand.\r\nSimple processing is replaced with conditional branching and looping, so the processing that flows\r\nvertically in the control flow becomes arranged horizontally by conditional branching and looping. As\r\nthe control flow becomes flat, the program processing flow becomes complicated and difficult to\r\nanalyze.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 9 of 16\n\nAttacking Emotet’s Control Flow Flattening – Sophos News\r\nSimilarities with the known downloader DOWNIISSA\r\nBy conducting a detailed analysis, we confirmed that the Downloader Shellcode we found and the known\r\ndownloader DOWNIISSA have three similarities.\r\nHowever, we believe that DOWNIISSA and the Downloader Shellcode we analyzed are from different malware\r\nfamilies based on their structure.\r\nSimilarities:\r\n1. Self-patching mechanism to hide malicious code\r\n2. Encoding method for C2 server information\r\n3. Structure of the data decrypted from the Fake PEM file\r\nReference\r\nAPT10: Tracking down LODEINFO 2022, part I\r\nSimilarities 1: Self-patching mechanism to hide malicious code\r\nThe first similarity is the patching mechanism to decode the Shellcode itself.\r\nDOWNIISSA, reported in 2022, had a process to patch the Shellcode itself when the Shellcode was executed. The\r\nnewly found Downloader Shellcode also has a self-patching mechanism.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 10 of 16\n\nFigure 11. The self-patching mechanism in Downloader Shellcode\r\nAlthough it is similar in DOWNIISA that it performs self-patching within the Shellcode, there are also clear\r\ndifferences. DOWNIISSA used Base64, but the current Downloader Shellcode uses XOR decoding. The XOR key\r\nis used one by one, increasing from 0x00 to 0xFF.\r\nSimilarities 2: Encoding method for the C2 server information\r\nThe second similarity is that the encoding method of the C2 server information embedded in the Shellcode is the\r\nsame. The Downloader Shellcode contains two C2 server addresses, which are encoded with a single-byte XOR.\r\nThe embedding method is also very similar, not only the encoding method.\r\nFigure 12. C2 server information and the Fake PEM file embedded in the Downloader Shellcode\r\nSimilarities 3: Structure of the data decrypted from the Fake PEM file\r\nAs mentioned above, the structure of the data decrypted from the Fake PEM file is a unique structure, and it has\r\nbeen confirmed that it adopts the same data structure as which decrypted by DOWNIISA.\r\nLODEINFO Backdoor Shellcode\r\nLODEINFO Backdoor Shellcode is a fileless malware that allows attackers to remotely access and operate\r\ninfected hosts. The following features were the same as the published information.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 11 of 16\n\nThe C2 server address uses a unique data structure.\r\nA mechanism that refers to the address of the embedded data is characteristic.\r\nThe Backdoor Command ID is hidden using 2-bytes XOR.\r\nThe structure and encryption of the communication data with the C2 server are very complex, as shown in\r\nthe figure below.\r\nThe above encryption uses the Vigenere cipher multiple times.\r\nFigure 13. Overview of the unique data structure and encryption used for communication with the\r\nC2 server\r\nOur analysis of multiple LODEINFO samples found in 2023 revealed the following differences from previously\r\npublished information:\r\n1. Change in the hash calculation algorithm for obtaining API function names\r\n2. Addition of backdoor commands\r\nChange 1: Change in the hash calculation algorithm for obtaining API function names\r\nThe v0.7.0 version uses a new hash calculation algorithm compared to v0.6.9. This change makes it impossible to\r\nmatch signatures using the same rules as previous samples.\r\nThe hash calculation algorithm is used by malware to calculate the hash of API function names and resolve\r\nfunction addresses. The hash calculation logic includes a hard-coded XOR key that is different for each sample.\r\nThis key is used for XOR decoding, so the hash values embedded in each sample are different.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 12 of 16\n\nFigure 14. Change in the hash calculation algorithm\r\nChange 2: Additions to backdoor commands\r\nLODEINFO implements the following backdoor commands to control infected hosts:\r\nThe number of backdoor commands was reduced to 11 in v0.6.5, but v0.7.1 restored 6 commands and added the\r\nnew runas command, bringing the total to 18.\r\nAdditionally, four commands ( keylog , ps , pkill , autorun ) that were removed in v0.7.2 and v0.7.3 have\r\nbeen restored. Furthermore, the content of the config command, which previously displayed \"Not Available,\"\r\nhas also been implemented.\r\nCommand Descriptions v0.6.5 v0.7.1\r\nv0.7.2,\r\nv0.7.3\r\ncommand List the embedded backdoor commands. Enable Enable Enable\r\nls Get a list of files. Removed Enable Enable\r\nrm Delete a file. Removed Enable Enable\r\nmv Move a file. Removed Enable Enable\r\ncp Copy a file. Removed Enable Enable\r\ncat Upload a file to C2. Removed Enable Enable\r\nmkdir Create a directory. Removed Enable Enable\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 13 of 16\n\nCommand Descriptions v0.6.5 v0.7.1\r\nv0.7.2,\r\nv0.7.3\r\nsend Download a file from C2. Enable Enable Enable\r\nrecv Upload a file to C2. Enable Enable Enable\r\nmemory Inject Shellcode into memory. Enable Enable Enable\r\nkill Kill a process by process ID. Enable Enable Enable\r\ncd Change directory. Enable Enable Enable\r\nver\r\nSend malware and system information. This includes\r\nthe current OS version, malware version, process ID,\r\npath of the executable file, system username, current\r\ndirectory, C2 and Mutec names.\r\nEnable Enable Enable\r\nprint Take a screenshot of the desktop. Enable Enable Enable\r\nransom\r\nEncrypt files using a generated AES key, and\r\nsimultaneously encrypt that AES key using a hardcoded\r\nRSA key.\r\nEnable Enable Enable\r\ncomc Execute a command using WMI. Enable Enable Enable\r\nconfig\r\nWrite settings to the registry (implemented in v0.7.2,\r\nthis function only returned \"Not Available.\" prior to\r\nv0.7.1).\r\nNot\r\nAvailable\r\nNot\r\nAvailable\r\nEnable\r\nrunas\r\nRun a command as a specific user (implemented in\r\nv0.7.1).\r\nN/A Enable Enable\r\nkeylog\r\nSave the keystrokes, date and time, and name of the\r\nactive window from the suspect endpoint. Use single-byte XOR encryption, and the file is saved to\r\n%temp%%hostname%.tmp.\r\nRemoved Removed Enable\r\nps List processes. Removed Removed Enable\r\npkill Kill a process. Removed Removed Enable\r\nautorun Set and remove persistence. Removed Removed Enable\r\nAttacker infrastructure\r\nBased on the analysis results of LODEINFO presented so far, we will introduce the characteristics of the\r\ncommunication destinations obtained from each sample.\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 14 of 16\n\nThe trend of the attacker's infrastructure that we observed in 2023 is consistent across versions, and the trend of\r\nattackers preferring to use AS-CHOOPA continues.\r\nFigure 15. LODEINFO attacker infrastructure.\r\nSummary\r\nIn 2023, multiple versions of LODEINFO were also observed, and v0.7.3 was observed in January 2024. It is\r\nimportant to continue to be careful, as there is a high possibility that various new features and detection evasion\r\ntechniques will be incorporated in the future.\r\nAs a countermeasure, since both the Downloader Shellcode and the Backdoor Shellcode of LODEINFO are\r\nfileless malware, it is essential to introduce a product that can scan and detect malware in memory in order to\r\ndetect it. Based on our research results to date, we are not only introducing products that can scan in memory, but\r\nwe are also taking various measures that are specialized for LODEINFO. We will continue to expand our research\r\nand countermeasures in the future.\r\nWe hope to continue to exchange information on the threat of LODEINFO with the CERTs in organizations that\r\nare exposed to the cybersecurity threat and need the analysis.\r\nFinally, two presentations on LODEINFO are scheduled for JSAC2024.\r\nAlthough the application for participation has ended, some materials will be released later, so please use them to\r\nobtain the latest information.\r\nIoCs\r\nMD5 of samples:\r\n69dd7fd355d79db0325816569ae2129a - Maldoc\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 15 of 16\n\nE82d98bae599cd172bb194adbdc76873 – zip file of above Maldoc\r\nD1a925ddb6d0defc94afb5996ed148bd - Maldoc\r\n9598b2af9dd1493dd213dbca56912af4 - Maldoc\r\n2a9012499d15145b5f63700c05adc426 - Loader module\r\n508aed3687c146c68ad16326568431ab - Loader module\r\n60dea5b5f889f37f5a9196e040bce0eb – BLOB:encrypted LODEINFO v0.6.9\r\n3d910e8ab29362ae36de73c6b70a7e09 – BLOB:encrypted LODEINFO v0.7.1\r\n290c5f33a4f4735e386b8193b1abdcf9 – Artifact:unique data structure for malware set\r\nC2s:\r\n167.179.106[.]224\r\n167.179.77[.]72\r\n172.104.112[.]218\r\n202.182.116[.]25\r\n45.76.197[.]236\r\n45.76.222[.]130\r\n45.77.183[.]161\r\nSource: https://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nhttps://blog-en.itochuci.co.jp/entry/2024/01/24/134100\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog-en.itochuci.co.jp/entry/2024/01/24/134100" ], "report_names": [ "134100" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434505, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bcf3c65090d3ee31cb5a7fd3e0d3d0a05459003c.pdf", "text": "https://archive.orkl.eu/bcf3c65090d3ee31cb5a7fd3e0d3d0a05459003c.txt", "img": "https://archive.orkl.eu/bcf3c65090d3ee31cb5a7fd3e0d3d0a05459003c.jpg" } }