{ "id": "a4174da8-bd67-4091-a0f3-551752d97991", "created_at": "2026-04-06T00:16:31.136228Z", "updated_at": "2026-04-10T03:36:36.910715Z", "deleted_at": null, "sha1_hash": "c00d7d85a352801ac14f5a0d3daaac489880472f", "title": "Securonix Threat Labs Monthly Intelligence Insights – June 2023", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 363487, "plain_text": "Securonix Threat Labs Monthly Intelligence Insights – June 2023\r\nArchived: 2026-04-02 12:21:54 UTC\r\nAuthors: Dheeraj Kumar, Ella Dragun\r\nThe Monthly Intelligence Insights provides a summary of top threats curated, monitored, and analyzed by\r\nSecuronix Threat Labs in June. The report additionally provides a synopsis of the threats; indicators of\r\ncompromise (IoCs); tactics, techniques, and procedures (TTPs); and related tags. Each threat has a comprehensive\r\nthreat summary from Threat Labs and search queries from the Threat Research team. For additional information\r\non Threat Labs and related search queries used via Autonomous Threat Sweeper to detect the below mentioned\r\nthreats, refer to our Threat Labs home page.\r\nIn June 2023, Threat Labs analyzed and monitored major threat categories, including the ongoing zero-day\r\nvulnerability in the MOVEit Transfer campaign, Barracuda ESG zero-day vulnerability,  MULTI#STORM attack\r\ncampaign, North Korean TAG-71 Group, Cadet Blizzard a new Russian threat actor and Lancefly APT that targets\r\ngovernments, aviation, and organizations with custom backdoors.\r\nIn June 2023, Securonix Autonomous Threat Sweeper identified 4,692 TTPs and IoCs, 127 distinct threats, and\r\nreported 15 threat detections. The top data sources swept against include IDS/IPS/UTM/Threat Detection,\r\nEndpoint Management Systems, Data Loss Prevention, and Email/Email Security.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/\r\nPage 1 of 8\n\nBarracuda critical vulnerability (Originally published in June 2023)\r\nResearchers from Barracuda have urged their customers who were impacted by a recently disclosed zero-day flaw\r\nin its Email Security Gateway (ESG) appliances to immediately replace them. More technical details on the\r\nBarracuda ESG zero-day vulnerability (CVE-2023-2868) is reported in Mandiant’s blog.\r\nDuring its investigation, Mandiant recognized a China-nexus actor, known as UNC4841, which tried to target a\r\nsubset of Barracuda ESG appliances for espionage across  regions and sectors. UNC4841 is most likely an\r\nespionage actor driving this global campaign in favor of the People’s Republic of China.\r\nBased on the evidence during the analysis, the first stage of compromises seemed to have happened on a small\r\nsubset of appliances geo-located in China. The C2 communications were abused during this early stage of\r\ncompromise, also using port 8080 while later compromises that occurred almost entirely leveraged port- 443 or\r\nport 25.\r\nThreat Labs summary\r\nSecuronix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats\r\nfrom this vulnerability.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/\r\nPage 2 of 8\n\nReview email logs to identify the initial point of exposure.\r\nRevoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise.\r\nRevoke and reissue all certificates that were on the ESG at the time of compromise.\r\nMonitor the entire environment for the use of credentials that were on the ESG at time of compromise.\r\nMonitor the entire environment for use of certificates that were on the ESG at time of compromise.\r\nReview network logs for signs of data exfiltration and lateral movement.\r\nBarracuda reiterated guidance recommending that all impacted Barracuda customers immediately isolate\r\nand replace compromised appliances.\r\n109 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous\r\nThreat Sweeper customers.\r\nTags: Threat Actor: UNC4841 a China-nexus actor,| Threat Actor Location: China | Attack: Barracuda Email\r\nSecurity Gateway (ESG) appliances \r\nThreat Activity Group 71 exploits (Originally published in June 2023)\r\nRecorded Future researchers have discovered malicious cyber threat activity spoofing several financial institutions\r\nand venture capital firms in Japan, Vietnam, and the United States. They refer to the group behind this activity as\r\nThreat Activity Group 71 (TAG-71). They also identified 74 domains resolving to 5 IP addresses, as well as 6\r\nmalicious files, in the most recent cluster of activity from September 2022 to March 2023.\r\nTAG-71 activities closely follow   public reports on North Korea state-sponsored APT38 (also commonly known\r\nas Bluenoroff, Stardust Chollima, and BeagleBoyz) activity.\r\nLast year, Insikt Group discovered 18 malicious servers tied to TAG-71 and linked to CryptoCore campaign to\r\ndeliver malware, phishing, and malware command and control (C2). These servers and associated malicious\r\ndocuments compromised popular cloud services, cryptocurrency exchanges, and private investment firms and\r\nsuccessfully targeted potential victims to open malicious content or provide their login credentials. \r\nDEV-0586, another threat group that got Microsoft’s attention this month  is a distinct Russian state-sponsored\r\nthreat actor that has now been given the name Cadet Blizzard. This group launched the destructive malware\r\n“Whispergate Wiper” in January 2022 against organizations affiliated with the Ukrainian government when\r\nMicrosoft still identified it as DEV-0586.\r\nWhile the group’s activities may be less sophisticated than other threat actors, their destructive attacks have\r\ntargeted government organizations and IT providers mainly in Ukraine, with occasional operations in Europe and\r\nLatin America.\r\nFrom a technical perspective, Cadet Blizzard mainly achieved initial access by exploiting web servers and\r\nvulnerabilities in Confluence servers, Exchange servers and open-source platforms.\r\nCadet Blizzard reportedly ran lateral movement with obtained network credentials and modules from the Impacket\r\nframework, while command and control (C2) was achieved via socket-based tunneling utilities and occasionally\r\nMeterpreter.\r\nThreat Labs summary\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/\r\nPage 3 of 8\n\nSecuronix Threat Labs recommends leveraging our findings to deploy defensive measures against increased\r\nthreats of Threat Activity Group 71 (TAG-71).\r\nMaintain consistent backup procedures and store those backups offline or on a different network.\r\nReview all authentication activity for remote access infrastructure, with a particular focus on accounts\r\nconfigured with single factor authentication, to confirm authenticity and investigate any anomalous\r\nactivity.\r\nEnable multifactor authentication (MFA) to mitigate potentially compromised credentials\r\nImplement network segmentation and maintain offline backups of data to ensure limited interruption to\r\nyour organization.\r\nApply the vendor patches immediately. \r\nAdd users to the Protected Users Security Group.\r\nAvoid clicking on suspicious links and opening email attachments without first checking their legitimacy.\r\n99 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous\r\nThreat Sweeper customers\r\nTTPs related to the Cadet Blizzard Group include but are not limited to the following:\r\nMonitor for PowerShell DownloadFile commandlet\r\nCheck for WMIExec Impacket activity with common Cadet Blizzard commands\r\nMonitor for scheduled task creation, command execution and C2 communication\r\nTags: Campaign: North Korean state-sponsored cyber actor: 71 (TAG-71) and Russian state-sponsored: Cadet\r\nBlizzard  | Target location: government organizations and IT providers mainly in Ukraine, with occasional\r\noperations in Europe and Latin America\r\nZero-Day vulnerability in MOVEit transfer (Originally published in June 2023)\r\nThe MOVEit Transfer web application has several SQL injection flaws that could let an unauthenticated attacker\r\naccess the MOVEit Transfer database without authorization.\r\nNew SQL injection flaws impacting the file transfer solution have been patched by Progress Software, the\r\ndeveloper of the MOVEit Transfer program, in order to prevent the theft of sensitive data.\r\nThe renowned Cl0p ransomware gang, which has a history of organizing data theft campaigns and utilizing zero-day weaknesses in several managed file transfer platforms since December 2020, has been blamed for the activity.\r\nThe earliest signs of exploitation, which led to the deployment of web shells and data theft, were discovered on\r\nMay 27, 2023, according to a preliminary analysis by Mandiant incident response engagements. Data theft has\r\noccasionally happened within minutes after web shell deployment. Although the victims of this campaign did not\r\noriginally receive any ransom demands, the campaign’s appearance of opportunism and the eventual data theft are\r\nconsistent with extortion actors’ behavior. Then, on June 6, 2023, a post on the data leak site (DLS) CL0P_-\r\nLEAKS claimed ownership of this action and threatened to post stolen data if victims did not pay an extortion\r\ncharge.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/\r\nPage 4 of 8\n\nA web shell called LEMURLOOT was used to infect MOVEit Transfer web apps that were accessible to the\r\npublic and steal data from the underlying MOVEit Transfer databases. A similar flurry of activity was launched by\r\nTA505 in early 2023 targeting Fortra/Linoma GoAnywhere MFT servers and Accellion File Transfer Appliance\r\n(FTA) devices in the form of zero-day exploit-driven attacks.\r\nThreat Labs summary\r\nSecuronix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats\r\nfrom this vulnerability.\r\nUpdate MOVEit Transfer to one of these patched versions:\r\nMOVEit Transfer 2023.0.1\r\nMOVEit Transfer 2022.1.5\r\nMOVEit Transfer 2022.0.4\r\nMOVEit Transfer 2021.1.4\r\nMOVEit Transfer 2021.0.6\r\nUsers should follow the steps which are provided in the MOVEit Security Advisory in order to successfully\r\nprovide remediation. These steps include the following:\r\nDisable all HTTP and HTTPS traffic to your MOVEit Transfer environment\r\nSearch for IoCs, delete, and reset account credentials\r\nApply the patch\r\nRe-enable all HTTP and HTTPS traffic to your MOVEit Transfer environment\r\nVerify all of the files have been successfully deleted, and no unauthorized accounts remain.\r\nContinuously monitor network, endpoints, and logs for IoCs as listed in the advisory.\r\n305 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous\r\nThreat Sweeper customers.\r\nTTPs related to the MOVEit vulnerability  include but are not limited to the following:\r\nMonitor for specific requests to moveitisapi.dll, human2.aspx and guestaccess.aspx\r\nTags: Vulnerability: CVE-2023-34362 | Attack Type: SQL injection | Affect Product: MOVEit Transfer web\r\napplication\r\nNew MULTI#STORM attack campaign (Originally published in June 2023)\r\nWarzone RAT infections were recently discovered to be distributed using phishing emails by MULTI#STORM, an\r\nintriguing attack campaign using a Python-based loader malware.\r\nThe Securonix Threat Research Team recently examined an interesting phishing effort. The user clicks on a\r\nJavaScript file that has been extensively encrypted inside a password-protected zip file, which starts the attack.\r\nThe MULTI#STORM campaign appears to have targeted certain victims in the US and India.\r\nThe victim computer is infected with numerous distinct RAT (remote access trojan) malware instances, including\r\nWarzone RAT and Quasar RAT, at the conclusion of the attack chain. For command and control at various points\r\nalong the infection chain, both are utilized.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/\r\nPage 5 of 8\n\nIt’s quite interesting to learn about the loader that led to the host’s initial compromise. Although it utilizes similar\r\nTTPs as DBatLoader, this malware is written in Python, bundled with PyInstaller, and uses some quite advanced\r\ntactics to build persistence and evade detection before launching the RAT payloads.\r\nThreat Labs summary\r\nSecuronix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats\r\nfrom this campaign.\r\nLike so many previous attacks, this one begins with a phishing email that contains a link. The user is sent\r\nto a Microsoft OneDrive file for the victim to download when the link refers to a request for a quote.\r\nThe OneDrive link in this instance downloads a 500KB password-protected zip file with the name\r\n“REQUEST.zip” and the password “12345”.\r\nThe target user gets shown a single JScript file called REQUEST.js after extracting the zip file.\r\nSurprisingly, no attempt was made to obscure the file using.LNK execution or, at the very least, a double\r\nextension to disguise it as a different file type.\r\n18 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous\r\nThreat Sweeper customers.\r\nTTPs related to theMULTI#STORM attack campaign include but are not limited to the following:\r\nMonitor for PowerShell and .lnk files initiated by the explorer.exe process in an endpoint management\r\nsystem. It captures the conditions you specified, and the response actions suggest measures to mitigate and\r\ndetect such behavior.\r\nMonitor for  process creation events in an endpoint management system where the destination process\r\nstarts with “C:\\Windows\\System32”.\r\nMonitor for registry modifications in an endpoint management system related to the “Open” command for\r\nfolders, specifically when the value is set to either cmd.exe or powershell.exe.\r\nTags: Malware: MULTI#STORM | Target Location: India, US | Attack Type: Phishing\r\nIncreased attacks on government organizations (Originally published in June\r\n2023)\r\nNumerous espionage operations were directed at governmental organizations in the Middle East and Africa. The\r\nattacks’ primary objective, according to the results, was to acquire extremely sensitive and private information,\r\nparticularly on political figures, military operations, and foreign affairs departments.\r\nThe attacks, which took place around the same time, included a number of strikingly identical tactics, techniques,\r\nand procedures (TTPs), some of which had never been seen before in the wild. Other TTPs, on the other hand, are\r\nrather uncommon, with just a few attackers having been known to use them and are identified as CL-STA-0043.\r\nThe expertise, adaptability, and victimology of this activity group point to a highly skilled APT threat actor, and it\r\nis believed that this threat actor is a nation-state.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/\r\nPage 6 of 8\n\nIn South and Southeast Asia, the APT group Lancefly is targeting businesses in the government, education,\r\ntelecom, and aviation sectors using a specially created backdoor. The potent backdoor, known as Merdoor, has\r\nbeen operational since 2018.\r\nThe campaign’s perpetrators have access to the most recent ZXShell rootkit version. The latest version of ZXShell\r\ntargets antivirus software to disable it while also being lower in size and having more features. The certificate\r\n‘Wemade Entertainment Co. Ltd,’ which was connected to APT41 in August 2019, is used to sign the rootkit.\r\nThreat Labs summary\r\nSecuronix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats\r\nfrom these campaigns.\r\nAfter breaking into the network, CL-STA-0043 engaged in reconnaissance, mapping out the system and\r\nlocating vital assets. The attackers’ primary objectives were locating administrator accounts and locating\r\ncrucial servers, such as:\r\nDomain controllers\r\nWeb servers\r\nExchange servers\r\nFTP servers\r\nSQL databases\r\nMerdoor is a fully functional backdoor with the following features that appears to have been available\r\nsince 2018:\r\nInstalling itself as a service\r\nKeylogging\r\nA variety of methods to communicate with its command-and-control (C\u0026C) server (HTTP, HTTPS,\r\nDNS, UDP, TCP)\r\nAbility to listen on a local port for commands\r\n76 IoCs are available on our Threat Labs home page and have been swept against Autonomous Threat\r\nSweeper customers.\r\nTTPs related to the CL-STA-0043 group include but are not limited to the following:\r\nMonitor for instances where the command line contains “JuicyPotato”, “SharpEfsPotato”, or “StickyKeys”,\r\nor where the process name is “cmd.exe” and the command line contains “Iislpe.exe”.\r\nTTPs related to the Lancefly group include but are not limited to the following:\r\nMonitor detect PowerShell commands that launch rundll32.exe with MiniDump, Reg.exe commands\r\ndumping SAM and SYSTEM hives, Avast tool used for dumping LSASS memory, and the use of\r\nmasqueraded WinRAR (wmiprvse.exe) for staging and encrypting files.\r\nMonitor for “LoadSys” export is executed and checks for the presence of files with the paths\r\n“[WindowsDirectory]\\system32\\drivers\\TdiProxy.sys” or\r\n“[WindowsDirectory]\\system64\\drivers\\TdiProxy.sys”. It also detects the creation of the device\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/\r\nPage 7 of 8\n\n“\\Device\\TdiProxy0” and the symbolic link “\\DosDevices\\TdiProxy0”. Additionally, it checks for the\r\npresence of the PDB filename “c:\\google\\objchk_win7_amd64\\amd64\\Google.pdb”.\r\nTags: Target Location: Middle East, Africa, South and Southeast Asia | APT Group: Lancefly, CL-STA-0043 |\r\nTarget Sector: Government, Education, Telecom, and Aviation | Malware: Merdoor\r\nFor a full list of the search queries used on Autonomous Threat Sweeper for the threats detailed above, refer to our\r\nThreat Labs home page. The page also references a list of relevant policies used by threat actors. \r\nWe would like to hear from you. Please reach out to us at scia@securonix.com. \r\nNote: The TTPs when used in silo are prone to false positives and noise and should ideally be combined with\r\nother indicators mentioned.\r\nContributors: Sina Chehreghani, Dhanaraj K R\r\nSource: https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/" ], "report_names": [ "securonix-threat-labs-monthly-intelligence-insights-june-2023" ], "threat_actors": [ { "id": "ef8ed28b-6afb-4447-b560-0df2892b8f1c", "created_at": "2023-06-23T02:04:34.315779Z", "updated_at": "2026-04-10T02:00:04.738599Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "ETDA:Lancefly", "tools": [ "Merdoor" ], "source_id": "ETDA", "reports": null }, { "id": "fdf8d396-bbe4-454c-970a-81c4c3093b27", "created_at": "2022-10-25T16:07:23.763387Z", "updated_at": "2026-04-10T02:00:04.742186Z", "deleted_at": null, "main_name": "BeagleBoyz", "aliases": [ "BeagleBoyz", "Operation FASTCash" ], "source_name": "ETDA:BeagleBoyz", "tools": [ "Cyruslish", "ECCENTRICBANDWAGON", "FASTCash", "NACHOCHEESE", "NachoCheese", "PSLogger", "TWOPENCE", "VIVACIOUSGIFT" ], "source_id": "ETDA", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ffc66b49-9396-46af-966f-9376c4315f32", "created_at": "2023-11-21T02:00:07.339061Z", "updated_at": "2026-04-10T02:00:03.462317Z", "deleted_at": null, "main_name": "CL-STA-0043", "aliases": [ "TGR-STA-0043" ], "source_name": "MISPGALAXY:CL-STA-0043", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843", "created_at": "2023-11-21T02:00:07.315543Z", "updated_at": "2026-04-10T02:00:03.461446Z", "deleted_at": null, "main_name": "UNC4841", "aliases": [ "SLIME57" ], "source_name": "MISPGALAXY:UNC4841", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81a3e326-a23a-4b8b-ae07-2e6679b3f2b3", "created_at": "2023-11-04T02:00:07.682997Z", "updated_at": "2026-04-10T02:00:03.391958Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "MISPGALAXY:Lancefly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "cff2cedd-a198-4e79-ae67-19048084ae7f", "created_at": "2024-06-20T02:02:09.945126Z", "updated_at": "2026-04-10T02:00:04.79991Z", "deleted_at": null, "main_name": "Operation Diplomatic Specter", "aliases": [ "CL-STA-0043", "TGR-STA-0043" ], "source_name": "ETDA:Operation Diplomatic Specter", "tools": [ "Agent Racoon", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "HTran", "HUC Packet Transmit Tool", "JuicyPotatoNG", "Kaba", "Korplug", "LadonGo", "Mimikatz", "Mimilite", "Moudour", "Mydoor", "NBTscan", "Ntospy", "PCRat", "PlugX", "RedDelta", "SharpEfsPotato", "SinoChopper", "Sogu", "SweetSpecter", "TIGERPLUG", "TVT", "Thoper", "TunnelSpecter", "Xamtrav", "Yasso", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "dcbff54d-13ec-40b5-b3b9-b74a315669e1", "created_at": "2026-02-03T02:00:03.428641Z", "updated_at": "2026-04-10T02:00:03.937539Z", "deleted_at": null, "main_name": "UNC1069", "aliases": [ "MASAN", "CryptoCore" ], "source_name": "MISPGALAXY:UNC1069", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434591, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c00d7d85a352801ac14f5a0d3daaac489880472f.pdf", "text": "https://archive.orkl.eu/c00d7d85a352801ac14f5a0d3daaac489880472f.txt", "img": "https://archive.orkl.eu/c00d7d85a352801ac14f5a0d3daaac489880472f.jpg" } }