{
	"id": "108c244e-a166-4d9f-bf19-e8a3d2ce37f5",
	"created_at": "2026-04-06T00:07:27.714828Z",
	"updated_at": "2026-04-10T03:32:21.137483Z",
	"deleted_at": null,
	"sha1_hash": "c50d23725bf49884bbbe6a1a1fcffed428538775",
	"title": "Blackfly: Espionage Group Targets Materials Technology",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45701,
	"plain_text": "Blackfly: Espionage Group Targets Materials Technology\r\nBy About the Author\r\nArchived: 2026-04-05 21:58:55 UTC\r\nThe Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against\r\ntargets in Asia and recently targeted two subsidiaries of an Asian conglomerate, both of which operate in the\r\nmaterials and composites sector, suggesting that the group may be attempting to steal intellectual property.\r\nCurrent Blackfly toolset\r\nThe following tools were used in attacks during late 2022 and early 2023:\r\nBackdoor.Winnkit\r\nSHA256: caba1085791d13172b1bb5aca25616010349ecce17564a00cb1d89c7158d6459\r\nSHA256: cf6bcd3a62720f0e26e1880fe7ac9ca6c62f7f05f1f68b8fe59a4eb47377880a\r\nSHA256: e1e0b887b68307ed192d393e886d8b982e4a2fd232ee13c2f20cd05f91358596\r\nSHA256: a3078d0c4c564f5efb1460e7d341981282f637d38048501221125756bc740aac\r\nSHA256: 714cef77c92b1d909972580ec7602b0914f30e32c09a5e8cb9cb4d32aa2a2196\r\nSHA256: 192ef0dee8df73eec9ee617abe4b0104799f9543a22a41e28d4d44c3ad713284\r\nRootkit driver known to be associated with Blackfly\r\n \r\nCredential-dumping tool\r\nSHA256: 100cad54c1f54126b9d37eb8c9e426cb609fc0eda0e9a241c2c9fd5a3a01ad6c\r\nCreates a dump of credentials from lsass.exe in C:\\windows\\temp\\1.bin.\r\n \r\nScreenshotting tool\r\nSHA256: 452d08d420a8d564ff5df6f6a91521887f8b9141d96c77a423ac7fc9c28e07e4\r\nScreenshots all open windows and saves them as .jpg files.\r\n \r\nProcess-hollowing tool\r\nSHA256: 1cc838896fbaf7c1996198309fbf273c058b796cd2ac1ba7a46bee6df606900e\r\nInjects shellcode in C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted. The shellcode is\r\na simple \"Hello World\" alert message.\r\n \r\nSQL tool\r\nSHA256: 4ae2cb9454077300151e701e6ac4e4d26dc72227135651e02437902ac05aa80d\r\nSQL client tool used to query SQL databases.\r\n \r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials\r\nPage 1 of 3\n\nMimikatz\r\nSHA256: b28456a0252f4cd308dfb84eeaa14b713d86ba30c4b9ca8d87ba3e592fd27f1c\r\nPublicly available credential-dumping tool.\r\n \r\nForkPlayground\r\nSHA256: a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864\r\nProof-of-Concept application to create a memory dump of an arbitrary process using the ForkLib.\r\n \r\nProxy configuration tool\r\nSHA256: 5e51bdf067e5781d2868d97e7608187d2fec423856dbc883c6f81a9746e99b9f\r\nSHA256: d4e1f09cb7b9b03b4779c87f2a10d379f1dd010a9686d221c3a9f45bda5655ee\r\nSHA256: f138d785d494b8ff12d4a57db94958131f61c76d5d2c4d387b343a213b29d18f\r\nConfigures proxy settings by injecting into: C:\\Windows\\system32\\svchost.exe -k\r\nLocalSystemNetworkRestricted.\r\n \r\nProxy configuration tool\r\nSHA256: 88113bebc49d40c0aa1f1f0b10a7e6e71e4ed3ae595362451bd9dcebcf7f8bf4\r\nSHA256: 498e8d231f97c037909662764397e02f67d0ee16b4f6744cf923f4de3b522bc1\r\nThis tool requires a file called conf.dat to run properly, located at: c:\\users\\public\\conf.dat. Conf.dat\r\ncontains the configuration to set up proxy settings.\r\nLongstanding APT group\r\nBlackfly is one of the longest known Chinese advanced persistent threat (APT) groups, active since at least 2010.\r\nEarly attacks were distinguished by the use of the PlugX/Fast (Backdoor.Korplug), Winnti/Pasteboy\r\n(Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad) malware families. The group initially made a name\r\nfor itself through attacks on the computer gaming industry. It subsequently branched out into targeting a more\r\ndiverse range of targets, including organizations in the semiconductor, telecoms, materials manufacturing,\r\npharmaceutical, media and advertising, hospitality, natural resources, fintech, and food sectors.\r\nBlackfly has been closely associated with a second Chinese APT group known as Grayfly, so much so that some\r\nvendors track the two groups as one actor: APT41. A 2020 indictment of seven men on charges relating to\r\nhundreds of cyber attacks carried out by both groups appeared to shed light on this link. Two Chinese nationals\r\nwere alleged to have worked with both groups. A crossover in personnel may account for the similarities between\r\nboth groups.\r\nUndeterred\r\nDespite being the subject of a U.S. indictment, Blackfly has continued to mount attacks, seemingly undeterred by\r\nthe publicity afforded to the group. Although it originally made a name for itself by attacking the gaming sector,\r\nthe group appears focused on targeting intellectual property in a variety of sectors at present.\r\nProtection/Mitigation\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials\r\nPage 2 of 3\n\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\ncf6bcd3a62720f0e26e1880fe7ac9ca6c62f7f05f1f68b8fe59a4eb47377880a – Backdoor.Winnkit\r\ne1e0b887b68307ed192d393e886d8b982e4a2fd232ee13c2f20cd05f91358596 – Backdoor.Winnkit\r\na3078d0c4c564f5efb1460e7d341981282f637d38048501221125756bc740aac – Backdoor.Winnkit\r\n714cef77c92b1d909972580ec7602b0914f30e32c09a5e8cb9cb4d32aa2a2196 – Backdoor.Winnkit\r\n192ef0dee8df73eec9ee617abe4b0104799f9543a22a41e28d4d44c3ad713284 – Backdoor.Winnkit\r\ncaba1085791d13172b1bb5aca25616010349ecce17564a00cb1d89c7158d6459 – Backdoor.Winnkit\r\n452d08d420a8d564ff5df6f6a91521887f8b9141d96c77a423ac7fc9c28e07e4 – Screenshotting tool\r\n1cc838896fbaf7c1996198309fbf273c058b796cd2ac1ba7a46bee6df606900e – Process-hollowing tool\r\n4ae2cb9454077300151e701e6ac4e4d26dc72227135651e02437902ac05aa80d – SQL tool\r\n560ea79a96dc4f459e96df379b00b59828639b02bd7a7a9964b06d04cb43a35a – DCSync\r\nb28456a0252f4cd308dfb84eeaa14b713d86ba30c4b9ca8d87ba3e592fd27f1c – Mimikatz\r\na3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864 – ForkPlayground\r\n5e51bdf067e5781d2868d97e7608187d2fec423856dbc883c6f81a9746e99b9f – Proxy configuration tool\r\nd4e1f09cb7b9b03b4779c87f2a10d379f1dd010a9686d221c3a9f45bda5655ee – Proxy configuration tool\r\nf138d785d494b8ff12d4a57db94958131f61c76d5d2c4d387b343a213b29d18f – Proxy configuration tool\r\n88113bebc49d40c0aa1f1f0b10a7e6e71e4ed3ae595362451bd9dcebcf7f8bf4 – Proxy configuration tool\r\n498e8d231f97c037909662764397e02f67d0ee16b4f6744cf923f4de3b522bc1 – Proxy configuration tool\r\n100cad54c1f54126b9d37eb8c9e426cb609fc0eda0e9a241c2c9fd5a3a01ad6c – Credential-dumping tool\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials"
	],
	"report_names": [
		"blackfly-espionage-materials"
	],
	"threat_actors": [
		{
			"id": "5bbced13-72f7-40dc-8c41-dcce75bf885e",
			"created_at": "2022-10-25T15:50:23.695735Z",
			"updated_at": "2026-04-10T02:00:05.335976Z",
			"deleted_at": null,
			"main_name": "Winnti Group",
			"aliases": [
				"Winnti Group"
			],
			"source_name": "MITRE:Winnti Group",
			"tools": [
				"PipeMon",
				"Winnti for Windows",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c7d9878a-e691-4c6f-81ae-84fb115a1345",
			"created_at": "2022-10-25T16:07:23.359506Z",
			"updated_at": "2026-04-10T02:00:04.556639Z",
			"deleted_at": null,
			"main_name": "APT 41",
			"aliases": [
				"BrazenBamboo",
				"Bronze Atlas",
				"Double Dragon",
				"Earth Baku",
				"G0096",
				"Grayfly",
				"Operation ColunmTK",
				"Operation CuckooBees",
				"Operation ShadowHammer",
				"Red Kelpie",
				"SparklingGoblin",
				"TA415",
				"TG-2633"
			],
			"source_name": "ETDA:APT 41",
			"tools": [
				"9002 RAT",
				"ADORE.XSEC",
				"ASPXSpy",
				"ASPXTool",
				"AceHash",
				"Agent.dhwf",
				"Agentemis",
				"AndroidControl",
				"AngryRebel",
				"AntSword",
				"BLUEBEAM",
				"Barlaiy",
				"BlackCoffee",
				"Bladabindi",
				"BleDoor",
				"CCleaner Backdoor",
				"CHINACHOPPER",
				"COLDJAVA",
				"China Chopper",
				"ChyNode",
				"Cobalt Strike",
				"CobaltStrike",
				"Crackshot",
				"CrossWalk",
				"CurveLast",
				"CurveLoad",
				"DAYJOB",
				"DBoxAgent",
				"DEADEYE",
				"DEADEYE.APPEND",
				"DEADEYE.EMBED",
				"DEPLOYLOG",
				"DIRTCLEANER",
				"DUSTTRAP",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"DodgeBox",
				"DragonEgg",
				"ELFSHELF",
				"EasyNight",
				"Farfli",
				"FunnySwitch",
				"Gh0st RAT",
				"Ghost RAT",
				"HDD Rootkit",
				"HDRoot",
				"HKDOOR",
				"HOMEUNIX",
				"HUI Loader",
				"HidraQ",
				"HighNoon",
				"HighNote",
				"Homux",
				"Hydraq",
				"Jorik",
				"Jumpall",
				"KEYPLUG",
				"Kaba",
				"Korplug",
				"LATELUNCH",
				"LOLBAS",
				"LOLBins",
				"LightSpy",
				"Living off the Land",
				"Lowkey",
				"McRAT",
				"MdmBot",
				"MessageTap",
				"Meterpreter",
				"Mimikatz",
				"MoonBounce",
				"MoonWalk",
				"Motnug",
				"Moudour",
				"Mydoor",
				"NTDSDump",
				"PACMAN",
				"PCRat",
				"PINEGROVE",
				"PNGRAT",
				"POISONPLUG",
				"POISONPLUG.SHADOW",
				"POTROAST",
				"PRIVATELOG",
				"PipeMon",
				"PlugX",
				"PortReuse",
				"ProxIP",
				"ROCKBOOT",
				"RbDoor",
				"RedDelta",
				"RedXOR",
				"RibDoor",
				"Roarur",
				"RouterGod",
				"SAGEHIRE",
				"SPARKLOG",
				"SQLULDR2",
				"STASHLOG",
				"SWEETCANDLE",
				"ScrambleCross",
				"Sensocode",
				"SerialVlogger",
				"ShadowHammer",
				"ShadowPad Winnti",
				"SinoChopper",
				"Skip-2.0",
				"SneakCross",
				"Sogu",
				"Speculoos",
				"Spyder",
				"StealthReacher",
				"StealthVector",
				"TERA",
				"TIDYELF",
				"TIGERPLUG",
				"TOMMYGUN",
				"TVT",
				"Thoper",
				"Voldemort",
				"WIDETONE",
				"WINNKIT",
				"WINTERLOVE",
				"Winnti",
				"WyrmSpy",
				"X-Door",
				"XDOOR",
				"XMRig",
				"XShellGhost",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"gresim",
				"njRAT",
				"pwdump",
				"xDll"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "945a572f-ebe3-4e2f-a288-512fe751cfa8",
			"created_at": "2022-10-25T16:07:24.413971Z",
			"updated_at": "2026-04-10T02:00:04.97924Z",
			"deleted_at": null,
			"main_name": "Winnti Group",
			"aliases": [
				"G0044",
				"Leopard Typhoon",
				"Wicked Panda",
				"Winnti Group"
			],
			"source_name": "ETDA:Winnti Group",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"FunnySwitch",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434047,
	"ts_updated_at": 1775791941,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c50d23725bf49884bbbe6a1a1fcffed428538775.pdf",
		"text": "https://archive.orkl.eu/c50d23725bf49884bbbe6a1a1fcffed428538775.txt",
		"img": "https://archive.orkl.eu/c50d23725bf49884bbbe6a1a1fcffed428538775.jpg"
	}
}