{ "id": "4b145058-fc72-40fc-b307-8808ab904d35", "created_at": "2026-04-06T00:09:33.99125Z", "updated_at": "2026-04-10T03:37:21.696173Z", "deleted_at": null, "sha1_hash": "c452cc1533dfb4e3e6b92ee3157c647a71d26305", "title": "APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 364662, "plain_text": "APT Expands Attack on ManageEngine With Active Campaign\r\nAgainst ServiceDesk Plus\r\nBy Robert Falcone, Peter Renals\r\nPublished: 2021-12-02 · Archived: 2026-04-05 19:36:43 UTC\r\nExecutive Summary\r\nOver the course of three months, a persistent and determined APT actor has launched multiple campaigns which\r\nhave now resulted in compromises to at least 4 additional organizations, for a total of 13. Beginning on Sept. 16,\r\n2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced\r\npersistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password\r\nmanagement and single sign-on solution known as ManageEngine ADSelfService Plus. Building upon the\r\nfindings of that initial report, on Nov. 7, Unit 42 disclosed a second, more sophisticated, active and difficult-to-detect campaign that had resulted in the compromise of at least nine organizations.\r\nAs an update to our initial reporting, over the past month we have observed the threat actor expand its focus\r\nbeyond ADSelfService Plus to other vulnerable software. Most notably, between Oct. 25 and Nov. 8, the actor\r\nshifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk\r\nPlus. We now track the combined activity as the TiltedTemple campaign. In our Nov. 7 blog, we stated that “while\r\nattribution is still ongoing and we have been unable to validate the actor behind the campaign, we did observe\r\nsome correlations between the tactics and tooling used in the cases we analyzed and Threat Group 3390 (TG-3390, Emissary Panda, APT27).”  At this stage, we would note that correlation to those tactics and tooling is\r\naccurate, but attribution remains ongoing. In line with the Microsoft Threat Intelligence Center’s (MSTIC)\r\n findings, some portions of TiltedTemple, specifically the September attacks exploiting ManageEngine\r\nADSelfService Plus overlaps with activity associated with DEV-0322, which according to MSTIC is “a group\r\noperating out of China, based on observed infrastructure, victimology, tactics, and procedures.”\r\nServiceDesk Plus is a help desk and asset management software. On Nov. 22, Zoho released a security advisory\r\nalerting customers of active exploitation against newly registered CVE-2021-44077. The vulnerability impacted\r\nServiceDesk Plus versions 11305 and below. While we have been unable to identify any publicly available proof\r\nof concept code for this vulnerability, it is now clear that the actor has successfully determined how to exploit\r\nunpatched versions of the software. Additionally, upon exploitation, the actor has been observed uploading a new\r\ndropper to victim systems. Similar to the previous tactics used against the ADSelfService software, this dropper\r\ndeploys a Godzilla webshell which provides the actor with further access to and persistence in compromised\r\nsystems. In scoping the problem, we leveraged Xpanse capabilities to determine that there are currently over 4,700\r\ninternet-facing instances of ServiceDesk Plus globally, and 2,900 – or 62% – are assessed to be vulnerable to\r\nexploitation.\r\nIn light of these recent developments, we would advance our characterization of the threat to that of an APT(s)\r\nconducting a persistent campaign, and leveraging a variety of initial access vectors, to compromise a diverse set of\r\nhttps://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nPage 1 of 9\n\ntargets globally. Over the past three months, at least 13 organizations across the technology, energy, healthcare,\r\neducation, finance and defense industries have been compromised. Of the four new victims, two were\r\ncompromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk\r\nPlus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance\r\nactivities against these industries and others, including infrastructure associated with five U.S. states.\r\nPalo Alto Networks customers are protected from the threats described in this blog by Threat Prevention for the\r\nNext-Generation Firewall, Cortex XDR and WildFire signatures. Additionally, Cortex Xpanse can accurately\r\nidentify vulnerable versions of ADSelfService Plus and ServiceDesk Plus software.\r\nRecent Activity\r\nUpon performing a thorough analysis across all of our telemetry sets, we observed that between Sept. 17 and Oct.\r\n15, the actor conducted reconnaissance and exploitation activities against ManageEngine ADSelfService Plus\r\nsoftware, as documented in our previous report.\r\nThe threat actor, however, quickly began to expand the scope. Notably, following the initial campaign, we\r\nwitnessed a steady flow of connections from the actor's malicious infrastructure to Zoho infrastructure beginning\r\non Oct. 21 and continuing through Nov. 9. The actors accessed archives.manageengine[.]com and\r\ndownload.manageengine[.]com. Browsing to the first site presents visitors with a form they can submit to request\r\naccess to older versions of ManageEngine software.\r\nhttps://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nPage 2 of 9\n\nFigure 1. Screenshot of archives.manageengine[.]com\r\nGiven this pattern of activity, we believe the actor may have used this portal to request older vulnerable versions\r\nof software in order to develop working exploits for known CVEs. Four days after this activity began, on Oct. 25,\r\nwe observed the first reconnaissance activity against a U.S. financial organization running a vulnerable version of\r\nManageEngine ServiceDesk Plus. In the days that followed, we observed similar activity across six other\r\norganizations, with exploitation against one U.S. defense organization and one tech organization beginning as\r\nearly as Nov. 3.\r\nIn continuing to track this actor's activities, we believe it is also important to note that on Nov. 9, we observed the\r\nactor connecting to passwordmanagerpromsp[.]com. This domain is associated with another ManageEngine\r\nproduct that provides Managed Service Providers (MSPs) with the ability to manage passwords across multiple\r\ncustomers in a single instance. Earlier this year, Zoho released a patch for CVE-2021-33617 affecting this product.\r\nWhile we have not seen any exploitation attempts to date, given the actor’s emerging pattern of targeting\r\nManageEngine products and the actor’s interest in this third product, we highly recommend organizations apply\r\nthe relevant patches.\r\nhttps://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nPage 3 of 9\n\nFigure 2. Timeline and impact of campaigns.\r\nServiceDesk Plus Vulnerability\r\nOn Nov. 20, a record for CVE-2021-44077 was created. Two days later, Zoho released a security advisory alerting\r\ncustomers of active exploitation against an unauthenticated remote code execution (RCE) vulnerability affecting\r\nServiceDesk Plus versions up to 11305. With a severity rating of critical, this vulnerability can allow an adversary\r\nto execute arbitrary code and carry out subsequent attacks. However, it is also worth noting that Zoho released an\r\nupdate on Sept. 16, three months earlier, that prevents exploitation in versions 11306 and above.\r\nWe are not currently aware of any publicly available proof of concept code for how to exploit this vulnerability.\r\nAdditionally, given that the vulnerability was only disclosed after attacks began, we assess that the actor\r\nindependently developed exploit code for their attacks.\r\nWe analyzed Zoho's ManageEngine ServiceDesk Plus to determine how the actors would exploit this\r\nvulnerability. We confirmed the existence of an RCE vulnerability that leveraged ServiceDesk's REST API. The\r\nexploit requires a malicious actor to issue two requests to the REST API. The first is to upload an executable\r\nspecifically named msiexec.exe and the second request launches the msiexec.exe payload. Both of these requests\r\nare required for successful exploitation, and both are initiated remotely via the REST API without requiring\r\nauthentication to the ServiceDesk server. With our understanding of this vulnerability, we created the threat\r\nprevention signature Zoho ManageEngine ServiceDesk Plus File Upload Vulnerability (91949) to block inbound\r\nexploitation attempts.\r\nMsiexec.exe Analysis\r\nAfter successfully exploiting an internet-facing instance of ServiceDesk Plus, on Nov. 3, the actor uploaded and\r\nattempted to run a malicious dropper called msiexec.exe (SHA256:\r\necd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7). This file was uploaded to the\r\nserver via the ServiceDesk REST API during exploitation, after which the server saved the executable to the\r\nfollowing path:\r\nD:\\ManageEngine\\ServiceDesk\\bin\\msiexec.exe\r\nhttps://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nPage 4 of 9\n\nStatic analysis of this file shows that it was compiled a few days earlier on Oct. 31, thus suggesting it was\r\navailable for use against other vulnerable targets in preceding days. Additionally, as seen in malware in previous\r\ncampaigns, the author of this payload did not remove debug symbols when compiling this sample, which provided\r\ntwo interesting analytical leads. The debug symbol path was as follows:\r\nC:\\Users\\pwn\\documents\\visual studio 2015\\Projects\\payloaddll\\Release\\sd11301.pdb\r\nThe first interesting portion of the debug path is the username of pwn that was used to create this payload, which\r\nis the same username seen in the debug path within the ME_ADManager.exe dropper delivered in the attacks on\r\nADSelfService Plus. Secondly, the filename of sd11301.pdb suggests that the payload was specifically designed to\r\ntarget ServiceDesk Plus versions 11301 and below, which are vulnerable to CVE-2021-44077 as well as an older\r\nCVE-2021-37415.\r\nAs mentioned above, the actor would execute this payload during the exploitation of CVE-2021-44077 by issuing\r\na second request to the REST API, which instructs the ServiceDesk application to run the following command:\r\nmsiexec.exe /i Site24x7WindowsAgent.msi EDITA1=\u003cunique site24x7 API key\u003e /qn\r\nThe ServiceDesk application runs this command as part of the setup of Zoho’s Site24x7 product, which is\r\ndescribed as a “Performance Monitoring Solution for DevOps and IT Operations.” The documentation for the\r\nSite24x7 product details how to install the software using a legitimate copy of msiexec.exe as follows:\r\nmsiexec.exe /i Site24x7WindowsAgent.msi EDITA1=\u003cDevice Key\u003e /qn\r\nTherefore, the actor uploads the malicious msiexec.exe payload and tricks ServiceDesk into running it instead of\r\nthe legitimate msiexec.exe application. We confirmed that the malicious msiexec.exe dropper does not actually\r\nuse any of the other arguments passed on the command line.\r\nUpon successful execution, this sample starts by creating the following generic mutex, which can be found in\r\nmany code examples freely available on the internet. This mutex prevents multiple instances of the dropper from\r\nrunning on the same victim host, which is the same mutex as seen in the ME_ADManager.exe dropper delivered\r\nin previous attacks on attacks on ADSelfService Plus:\r\ncplusplus_me\r\nThe dropper then attempts to write a hardcoded Java module to the following location:\r\n../lib/tomcat/tomcat-postgres.jar\r\nThe tomcat-postgres.jar (SHA256: 67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015)\r\nfile is a variant of the Godzilla webshell that leverages Apache Tomcat’s Java Servlet Filter functionality, which\r\nwe will describe in the next section. In order to load the webshell into memory, the dropper searches for and kills\r\nthe java.exe process that is currently running the ServiceDesk Plus service. After killing the Java process, the\r\nprocess is automatically restarted by ServiceDesk Plus, which effectively loads the webshell filter into\r\nTomcat. The dropper finishes by moving itself to RunAsManager.exe within the current directory, which the\r\nServiceDesk application specifically sets to ManageEngine\\ServiceDesk\\site24x7 when executing\r\nmsiexec.exe using Java's ProcessBuilder API. \r\nhttps://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nPage 5 of 9\n\nGodzilla Webshell\r\nWhile the threat actor used the same webshell secret key – 5670ebd1f8f3f716 – that was previously seen in the\r\nattacks on ADSelfService Plus, the Godzilla webshell used in this attack was not a single Java Server Pages (JSP)\r\nfile as seen before. Rather, the webshell was installed as an Apache Tomcat Java Servlet Filter. According to\r\nTomcat’s documentation, these Tomcat Filters allow for the filtering of inbound requests or outbound responses.\r\nIn this particular case, this allows the actor to filter inbound requests to determine which requests are meant for the\r\nwebshell.\r\nThe fact that this Godzilla webshell is installed as a filter means that there is no specific URL that the actor will\r\nsend their requests to when interacting with the webshell, and the Godzilla webshell filter can also bypass a\r\nsecurity filter that is present in ServiceDesk Plus to stop access to webshell files.\r\nIt appears that the threat actor leveraged publicly available code called tomcat-backdoor to build the filter and then\r\nadded a modified Godzilla webshell to it. The use of a publicly available tool with documentation written in\r\nChinese fits the actor’s prior tactics, techniques and procedures (TTPs). For example, we previously saw this in\r\nthe Godzilla and NGLite tools used by the actor to attack ADSelfService Plus. The publicly available tomcat-backdoor source code provided the actors a codebase which they then modified by removing the default code that\r\nwould run commands from inbound requests with custom code that used the Godzilla webshell.\r\nFigure 3a. Threat actor's Tomcat filter.\r\nhttps://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nPage 6 of 9\n\nFigure 3b. Publicly available tomcat-backdoor\r\nIn order to make the Godzilla webshell work under the filter environment, the threat actor made a few changes to\r\nthe webshell code as well as, we believe, the webshell controller. For example, the Tomcat filter does not support\r\nthe HttpSession object. Thus, HttpSession methods in Godzilla webshell were replaced with HttpServletRequest\r\nrequest and response. Also, to identify requests to interact with Godzilla, the tomcat-postgres.jar filter looks for\r\ninbound POST requests with a parameter jsessionsid. After identifying inbound requests to the webshell, the filter\r\nwill look for parameters named j_username to obtain the Godzilla webshell command’s functional code and\r\nj_password to access the parameters for the functional code.\r\nFigure 4. Modified Godzilla shell vs original Godzilla shell.\r\nVulnerable Systems\r\nRecent scans by the Palo Alto Networks Cortex Xpanse platform identified over 4,700 internet-exposed systems\r\nrunning the ServiceDesk Plus software globally. Across the global population, we also determined that roughly\r\n2,900 – or 62% – of systems are running vulnerable or unpatched versions of the software. The largest population\r\nof vulnerable systems was found in the U.S., followed by India, Russia, Great Britain and Turkey.\r\nCountry Percentage\r\nUnited States 21%\r\nIndia 6.0%\r\nhttps://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nPage 7 of 9\n\nRussia 5.7%\r\nGreat Britain 3.5%\r\nTurkey 3.4%\r\nTable 1. Global dispersion of vulnerable ServiceDesk Plus systems.\r\nAs of publication, within the U.S., we identified over 1,200 systems running ServiceDesk Plus software. Roughly\r\n600 – or 50% – of the systems are running vulnerable or unpatched versions of the software. In characterizing this\r\nvulnerable population, we found systems falling across all industry segments, including 23 universities, 14 state or\r\nlocal governments, and 10 healthcare organizations.\r\nConclusion\r\nOver the course of three months, a persistent and determined APT actor has launched multiple campaigns which\r\nhave resulted in compromises to at least 13 organizations. Several of the impacted organizations fall across U.S.\r\ncritical infrastructure sectors, including defense, transportation, healthcare and energy.\r\nThe actor's first campaign leveraged a zero-day vulnerability in Zoho ManageEngine ADSelfService Plus\r\nsoftware. In late October, the actor launched its most recent campaign, which shifted focus toward a previously\r\nundisclosed vulnerability in Zoho ManageEngine ServiceDesk Plus software (CVE-2021-44077). Upon exploiting\r\nthis vulnerability, the actor uploaded a new dropper that deployed a Godzilla webshell on victim networks with\r\ncapability to bypass a security filter on ADSelfService and ServiceDesk Plus products.\r\nGlobally there are over 4,700 internet facing instances of ServiceDesk Plus, of which 2,900 – or 62% – are\r\nassessed to be vulnerable to exploitation. Given the actor's success to date and continued reconnaissance activities\r\nagainst a variety of industries (including infrastructure associated with five US states), we anticipate the number\r\nof victims will continue to climb.\r\nWe encourage all organizations to patch vulnerable software in their environments.\r\nProtections and Mitigations\r\nThe best defense against this evolving campaign is a security posture that favors prevention. We recommend that\r\norganizations implement the following:\r\n1. Identify all Zoho software and ensure the latest patches/upgrades have been applied.\r\n2. Evaluate the business need and risk associated with any internet-facing Zoho products.\r\n3. Review all files that have been created in ServiceDesk Plus directories since early October 2021.\r\n4. If you think you may have been impacted, please email unit42-investigations@paloaltonetworks.com or\r\ncall (866) 486-4842 – (866) 4-UNIT42 – for U.S. toll free, (31-20) 299-3130 in EMEA or (65) 6983-8730\r\nin JAPAC. The Unit 42 Incident Response team is available 24/7/365.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ncampaign:\r\nhttps://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nPage 8 of 9\n\nThreat Prevention provides protection against the Godzilla webshells. Threat IDs 81803, 81815, 81816, 81817 and\r\n81819 cover the various deviations in traffic across the .net, java, php, and asp formats of this webshell. These\r\nprotections have been in place since Apr. 28, 2021. Threat ID 91949 (Zoho ManageEngine ServiceDesk Plus File\r\nUpload Vulnerability) provides protection against CVE-2021-44077.\r\nCortex XDR protects endpoints and accurately identifies the dropper used in this campaign as malicious.\r\nAdditionally, Cortex XDR has several detections for lateral movement and credential theft TTPs employed by this\r\nactor set.\r\nWildFire cloud-based threat analysis service accurately identifies the dropper used in this campaign as malicious.\r\nCortex Xpanse can accurately identify Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus servers, as\r\nwell as whether or not they are vulnerable to these attacks, across customer networks.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSamples\r\necd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7\r\n67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015\r\nAdditional Resources\r\nTargeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells,\r\nNGLite Trojan and KdcSponge Stealer – Unit 42, Palo Alto Networks\r\nThreat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus - MSTIC\r\nAPT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus - CISA\r\nSource: https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nhttps://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/" ], "report_names": [ "tiltedtemple-manageengine-servicedesk-plus" ], "threat_actors": [ { "id": "0a80df4d-5ab7-4ca3-809d-8ef7b5a54f1f", "created_at": "2023-11-21T02:00:07.386886Z", "updated_at": "2026-04-10T02:00:03.474764Z", "deleted_at": null, "main_name": "TiltedTemple", "aliases": [ "Circle Typhoon", "DEV-0322" ], "source_name": "MISPGALAXY:TiltedTemple", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434173, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c452cc1533dfb4e3e6b92ee3157c647a71d26305.pdf", "text": "https://archive.orkl.eu/c452cc1533dfb4e3e6b92ee3157c647a71d26305.txt", "img": "https://archive.orkl.eu/c452cc1533dfb4e3e6b92ee3157c647a71d26305.jpg" } }