{ "id": "80f1aee8-6cb2-4a3c-9b7c-726db95482d7", "created_at": "2026-04-17T02:20:44.236864Z", "updated_at": "2026-04-18T02:21:49.793878Z", "deleted_at": null, "sha1_hash": "bfddf153fee35967f9007b06edff9b24d2929bb2", "title": "Key Insights on SHADOW-AETHER-015 and Earth Preta from the 2025 MITRE ATT\u0026CK Evaluation with TrendAI Vision One™", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1054799, "plain_text": "Key Insights on SHADOW-AETHER-015 and Earth Preta from\r\nthe 2025 MITRE ATT\u0026CK Evaluation with TrendAI Vision One™\r\nBy By: Trend Micro Jan 13, 2026 Read time: 9 min (2303 words)\r\nPublished: 2026-01-13 · Archived: 2026-04-17 02:06:33 UTC\r\nKey takeaways:\r\nThe MITRE ATT\u0026CK Evaluation Round 7 (ER7 2025) validates the progress made by TrendAI Vision\r\nOne™ toward a unified security operations platform. This blog discusses further the results of TrendAI™\r\nin ER7.\r\nScenario 1 (Demeter), an emulation inspired by SHADOW-AETHER-015 shows the complexity of\r\nmodern cloud attacks, where adversaries can pivot from compromised endpoints to cloud infrastructure,\r\nleveraging stolen credentials and tokens to establish persistence, move laterally across hybrid\r\nenvironments, and exfiltrate sensitive data at scale.\r\nMeanwhile, scenario 2 (Hermes), the emulation inspired by Earth Preta, highlights the sophistication of\r\nphishing-based attacks, emphasizing the use of advanced loaders, anti-analysis techniques, lateral\r\nmovement, credential harvesting, and data exfiltration, followed by meticulous cleanup to reduce forensic\r\ntraces and hinder detection.\r\nTrendAI’s results in the MITRE ATT\u0026CK ER7 align strongly with the current need for platforms to\r\nautomatically correlate telemetry into meaningful alerts across hybrid environments. TrendAI Vision One\r\ndetects and blocks the IoCs related to the threat actors mentioned in this blog. TrendAI customers can also\r\naccess tailored hunting queries, threat insights, and intelligence reports to better understand and proactively\r\ndefend against these threat actor groups.\r\nThis blog examines notable modern techniques, tactics, and procedures (TTPs) that TrendAI™ Research has\r\nobserved in the two emulations during the MITRE ATT\u0026CK Evaluation Round 7 (ER7 2025) that featured Earth\r\nPreta (also known as Mustang Panda), and SHADOW-AETHER-015 (TrendAI Research’s intrusion name for a\r\nparticular group of activities with modern TTPs characterized by AI-generated attacks, sophisticated phishing\r\nattacks, and/or social engineering). These observed, analyzed, and reported TTPs support the performance of\r\nTrendAI Vision One™ in ER7, reinforcing the position of TrendAI™ as a trusted leader in detection and response\r\ninnovation.\r\nThe ER7 marked a significant evolution in MITRE’s approach where, it now includes both on-premises and\r\ncloud-based attacks, as well as the Reconnaissance tactic. This not only simulates hybrid environments that real\r\nSOC teams defend against today but also highlights the necessity for SOC teams to rely on effective enterprise\r\ntools. TrendAI Vision One’s results in ER7 reinforces TrendAI's position as a trusted leader in detection and\r\nresponse innovation. Enterprises can rely on the platform for up to date, and up to standard analytic coverage\r\nacross all major attack steps, protection across all evaluated attack opportunities, and cloud layer coverage,\r\nincluding both detection and protection.\r\nhttps://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html\r\nPage 1 of 8\n\nMITRE scenario 1 (Demeter) \r\nIn this emulation, cloud (AWS) scenarios highlighted how attackers can pivot from an endpoint into the cloud\r\nwhere the intrusion begins by phishing an unmanaged workstation using an adversary-in-the-middle SSO kit to\r\nsteal high-privilege credentials and MFA tokens. This enables RDP access, internal discovery, Active Directory\r\nenumeration, and reconnaissance of shared network resources. \r\nThe attacker then pivots to AWS, enumerating IAM, S3, VPCs, and costs while evading defenses,\r\nestablishing persistence through a new admin IAM user, and a privileged EC2 instance. This allows them to\r\nharvest secrets and tokens, moving laterally across Linux and Windows systems using tunnelling and RMM tools.\r\nThe attack concludes with large-scale data collection and exfiltration, syncing application and file-share data from\r\ninternal systems to attacker-controlled S3 buckets. \r\nThis section provides a high-level summary of how Scenario 1 (Demeter) unfolds, highlighting the core execution\r\nflow, infrastructure interactions, and progression of the attack chain from initial access through cleanup. \r\nFor a detailed, step-by-step breakdown of the scenario that includes emulation context, tooling, and\r\nattack objectives, refer to MITRE’s official CTI emulation documentation.\r\nMore information that enterprises should know about SHADOW-AETHER-015\r\nScenario 1 is inspired by observed TTPs from SHADOW-AETHER-015, a highly adaptable and aggressive\r\ncybercriminal group known for fluent English-language social engineering, particularly vishing and help-desk\r\nimpersonation, which allows operators to blend effectively into corporate support environments.\r\nTheir activity is characterized by identity abuse, and cloud compromise. The group is also known to use multi-pressure extortion: high-value data theft, leak threats, ransomware, cloud/VMware disruption, and employee\r\nintimidation. SHADOW-AETHER-015 primarily targets identity and access management systems such as Okta\r\nand Azure AD/Entra ID, abusing social engineering, MFA fatigue, token theft, and adversary-in-the-middle\r\nphishing to bypass authentication controls. After gaining identity access, the threat actors leverage legitimate\r\ncredentials with IAM misuse and configuration abuse to move laterally across SaaS and cloud environments,\r\nincluding AWS, Azure, and Google Workspace.\r\nActivities linked to the group initially focused on SIM-swapping and telecommunications fraud, but has since\r\nevolved to target cloud, SaaS, and enterprise environments for data theft and, in some cases, ransomware\r\ndeployment. The group diversifies monetization through cryptocurrency theft, account-takeover resale, long-term\r\ncloud persistence, partnerships with multiple RaaS groups, and selling large customer datasets.\r\nSHADOW-AETHER-015 is a group focused on high-value, high-leverage intrusions, and have been observed to\r\nconsistently pursue enterprises with massive data, complex IT operations, and low tolerance for downtime. Their\r\nlist of victims suggest that the group prioritizes sectors rich in credit-card data, travel records, healthcare and\r\nloyalty information.\r\nThe group’s operations have affected telecommunications and business process outsourcing (BPO) providers. The\r\ngroup has also compromised tech SaaS and identity platforms to obtain privileged access into enterprise\r\nenvironments, alongside notable intrusions in hospitality and gaming organizations. Additional targets include\r\nhttps://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html\r\nPage 2 of 8\n\nfinance and insurance firms, aviation and travel operators, and managed service provider (MSP) and IT\r\ncompanies.\r\nSHADOW-AETHER-015 has been observed to be most active in English-speaking countries such as the US, UK,\r\nCanada, and Australia, with additional victim presence in India, Singapore, Thailand, and Brazil.\r\nThe earliest structured campaigns linked to the group occurred in from March to July 2022 under the “0ktapus”\r\nphishing campaign, but it should be noted that some SIM-swapping activity that could be potentially linked to\r\nearly SHADOW-AETHER-015 operators predates this. \r\nThe group’s progression shows rapid improvement in both technical sophistication and operational ambition as\r\nshown in figure 1.\r\nMITRE Scenario 2 (Hermes)\r\nIn scenario 2, the attack begins with a phishing email that delivers a malicious document, leading the victim to\r\ndownload a password-protected archive and execute a malicious LNK file that side-loads the ORPHEUS loader.  \r\nThe loader performs anti-analysis checks, injects into a trusted process, loads shellcode in memory,\r\nand establishes encrypted command-and-control (C\u0026C). From there, the attacker conducts host and network\r\ndiscovery, pivots laterally using remote execution techniques, and establishes a remote command interface on\r\nhigher-value systems. \r\nCredential access is achieved by extracting directory service databases and registry hives, which are staged and\r\nexfiltrated for offline cracking. Persistence is then established through registry run keys and scheduled tasks\r\nto maintain access. The attacker proceeds to collect and compress targeted documents using archiving utilities,\r\nexfiltrating the data via command-line transfer tools over existing C\u0026C channels.  \r\nFinally, cleanup scripts are executed to remove persistence mechanisms and on-disk artifacts, reducing forensic\r\nevidence and hindering detection. \r\nThis section provides a high-level summary of how scenario 2 (Hermes) unfolds, highlighting the core execution\r\nflow, infrastructure interactions, and progression of the attack chain from initial access through cleanup.  \r\nFor a detailed, step-by-step breakdown of the scenario that includes emulation context, tooling, and\r\nattack objectives refer to MITRE’s official CTI emulation documentation \r\nFigure 2 shows a timeline of notable pivots in Earth Preta’s tooling, infrastructure, and core TTPs used,\r\nas monitored by TrendAI Research.  \r\nhttps://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html\r\nPage 3 of 8\n\nMore information that enterprises should know about Earth Preta\r\nScenario 2 is inspired by Earth Preta, a China-based advanced persistent threat (APT) group that has been active\r\nsince at least 2012. Earth Preta’s operations are primarily driven by state-aligned intelligence objectives. The\r\ngroup focuses on political and military intelligence collection, long-term strategic awareness, and surveillance\r\nof communities, prioritizing sustained access and information gathering over direct financial gain. \r\nThe group’s activity shows a strong concentration in Asia and Southeast Asia, reflecting strategic regional\r\ninterests. However, Earth Preta has also demonstrated the capability and intent to operate beyond this region,\r\nextending campaigns into Europe and other global locations when aligned with broader geopolitical objectives. \r\nWhile government-related entities remain the primary targets, Earth Preta campaigns frequently expand\r\ninto strategic industries such as energy, maritime, infrastructure, manufacturing, telecommunications, and\r\ntransportation. Targeting these sectors suggests an interest in economic, industrial, and critical infrastructure\r\nintelligence, that are integral to a country’s position in international relations.\r\nEarth Preta carefully selects infrastructure that enables persistent access and intelligence collection, often\r\nprioritizing government networks, enterprise environments, and systems supporting domain services, file storage,\r\nand internal communications. Their targeting reflects an emphasis on environments that provide broad visibility\r\ninto organizational operations and strategic decision-making processes. Earth Preta’s operations are also marked\r\nby frequent updates to tooling, flexible infection and persistence mechanisms, and a willingness to shift tactics, all\r\nof which suggest significant resources, sophistication, and the intention to stay continue operating long-term. These are further discussed in table 1. \r\nhttps://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html\r\nPage 4 of 8\n\nOver time the group has adopted many aliases, including Bronze President, TA416, RedDelta, HIVE0154, and\r\nStately Taurus, which can be both for operational rebranding and attribution uncertainty. \r\nPeriod Key event\r\n2012 –\r\n2016\r\nEarly activity and foundational tooling \r\nEarth Preta first appeared using PlugX/Korplug RAT, delivered through basic spear-phishing\r\nattachments and decoy documents. The group’s C\u0026C setup was simple: it relied on direct servers\r\nwith minimal obfuscation and standard DLL sideloading for execution and persistence. It initially\r\ntargeted mostly NGOs, policy institutes, and government-linked bodies in Asia. \r\n2017 –\r\n2019\r\nDelivery chain becomes more sophisticated \r\nDuring this time, the group improved their phishing tactics with policy- and diplomacy-themed\r\nlures, often packaged in ZIP/RAR archives or malicious LNK shortcuts for initial access.\r\nInfrastructure saw more rotating C\u0026C servers, modular loaders, and slightly more stealth. \r\n2020 –\r\n2022\r\nMultiregional reach and hardened C\u0026C\r\nEarth Preta expanded operations into Europe and refined multi-stage loader chains, adding\r\nencrypted C\u0026C traffic, obfuscation layers, and PlugX variants like Hodur. This period marks the\r\ntransition toward targeted, persistent espionage campaigns. During this period, TrendAI reporting\r\ndocumented PlugX evolution and campaign activity.\r\n2023\r\nModular backdoors and long-term access \r\nCampaigns such as Stately Taurus highlight intrusions into Southeast Asian government\r\nenvironments, supported by DOPLUGS and PubLoad loaders for modular payload execution. The\r\ngroups target scope for intelligence gathering also widened to include systems tied to policy and\r\nstrategic value such as energy, manufacturing, academic networks, and maritime assets.\r\n2024\r\nProxy-based infrastructure and stealth uplift \r\nEarth Preta began employing StarProxy to mask beaconing and route C\u0026C traffic,\r\nalongside ToneShell, which leverages FakeTLS encrypted communication, making detection\r\nchallenging. Its C\u0026C stack matured into a proxy with layered backdoor structure. TrendAI\r\nResearch highlights DOPLUGS/ToneShell campaigns and stealth behavior.\r\n2025\r\nUSB worm and air-gapped intrusion capability \r\nhttps://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html\r\nPage 5 of 8\n\nEarth Preta’s recent activity features SnakeDisk, a USB-propagating worm used to deliver Yokai\r\nand updated ToneShell backdoors, enabling compromise of air-gapped or restricted networks.\r\nInitial access is still commonly via spear-phishing attachments, followed by DLL sideloading,\r\nexecution using command/scripting interpreters, and encrypted C\u0026C channels for stealth.\r\nTable 1. A timeline of notable events observed from the APT group Earth Preta\r\nMITRE ATT\u0026CK Techniques Observed\r\nMITRE ATT\u0026CK Evaluation Results \r\nTrendAI demonstrated strong detection and coverage in ER7 for both scenarios. A detailed breakdown of\r\nTrendAI's performance and detection capabilities is available in our official analysis that can be found here.\r\nMITRE ATT\u0026CK Evaluations provide an industry-standard, threat-informed framework for understanding\r\nattacker behaviors, techniques, and tactics. These evaluations allow organizations to:\r\nBenchmark security solutions against real-world attack scenarios.\r\nIdentify gaps in detection and response capabilities.\r\nStay updated on the latest adversary techniques and trends.\r\nSolutions and platforms like TrendAI Vision One operationalize and automate the identification of gaps in\r\ndetection and response capabilities by producing a balanced set of high-confidence alerts across all major attack\r\nsteps, enough to ensure full visibility without overwhelming analysts or masking key attacker activity. TrendAI\r\nVision One \r\nhttps://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html\r\nPage 6 of 8\n\nMonitors and tracks attack routines as they attempt to move and execute within the organization’s\r\nnetworks, systems, and infrastructure.\r\nDetects and blocks threats as early as possible in the attack lifecycle.\r\nProvides actionable insights that are mapped to the MITRE ATT\u0026CK framework, enabling SOC teams to\r\nbetter understand and respond to threats.\r\nTrendAI’s results in ER7 align strongly with the current need for platforms to automatically correlate telemetry\r\ninto meaningful alerts across hybrid environments, specifically when multiple data sources must come together to\r\nexplain details about a significant event. MITRE’s insights also align with the enhancements already underway\r\nacross the TrendAI Vision One platform.\r\nEnterprises must regularly review MITRE ATT\u0026CK Evaluations and leverage platforms like TrendAI Vision One\r\nto map their organization’s detection and response coverage, identify gaps, and continuously improve your\r\nsecurity poture.\r\nTrendAI Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, TrendAI Vision Oneone-platform customers can access a range of Intelligence\r\nReports and Threat Insights within Vision One. Threat Insights helps customers stay ahead of cyber threats before\r\nthey happen and allows them to prepare against emerging threats by offering comprehensive information on threat\r\nactors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take\r\nproactive steps to protect their environments, mitigate risks, and effectively respond to threats.\r\nTrendAI Vision One Intelligence Reports App related entries [IOC Sweeping]\r\nEarth Preta Campaign Uses DOPLUGS to Target Asia\r\nVision One Emerging Threat\r\n \r\nEarth Preta Evolves its Attacks with New Malware and Strategies\r\nVision One Emerging Threat\r\n \r\nEarth Preta Mixes Legitimate and Malicious Components to Sidestep Detection\r\nVision One Emerging Threat\r\nTrendAI Vision One Threat Actor Profiles\r\nEarth Preta\r\nEarth Preta IoC sweeping\r\nSHADOW-AETHER-015\r\nSHADOW-AETHER-015 IoC sweeping\r\n \r\nHunting Queries\r\nTrendAI Vision One Search App\r\nhttps://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html\r\nPage 7 of 8\n\nTrendAI Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.   \r\nHunting queries in the TrendAI Vision One Search App are available for Vision One customers with Threat\r\nInsights Entitlement enabledone-platform.\r\nSource: https://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html\r\nhttps://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html" ], "report_names": [ "shadow-aether-015-earth-preta-mitre.html" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-18T02:00:05.143642Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-18T02:00:05.212494Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "046c3e3a-7564-444c-9269-e1c129166c53", "created_at": "2026-04-17T02:00:03.806416Z", "updated_at": "2026-04-18T02:00:04.273319Z", "deleted_at": null, "main_name": "SHADOW-AETHER-015", "aliases": [], "source_name": "MISPGALAXY:SHADOW-AETHER-015", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-18T02:00:03.667374Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-18T02:00:03.67245Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Muddled Libra", "Oktapus", "Scattered Swine", "Scatter Swine", "Octo Tempest", "Starfraud", "UNC3944", "0ktapus", "Storm-0971", "DEV-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-18T02:00:03.393464Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "LuminousMoth", "TANTALUM", "Twill Typhoon", "BRONZE PRESIDENT", "Earth Preta", "Polaris", "HoneyMyte", "Red Lich", "TEMP.HEX", "TA416", "Stately Taurus" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-18T02:00:04.852737Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-18T02:00:04.60568Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-18T02:00:05.227718Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-18T02:00:04.735386Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-18T02:00:05.145684Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1776392444, "ts_updated_at": 1776478909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bfddf153fee35967f9007b06edff9b24d2929bb2.pdf", "text": "https://archive.orkl.eu/bfddf153fee35967f9007b06edff9b24d2929bb2.txt", "img": "https://archive.orkl.eu/bfddf153fee35967f9007b06edff9b24d2929bb2.jpg" } }