{ "id": "96d74dd5-0d32-436e-8359-d4a6d42c72b1", "created_at": "2026-04-06T00:07:05.99172Z", "updated_at": "2026-04-10T13:11:34.818704Z", "deleted_at": null, "sha1_hash": "c659b44a020fb13843950889b8c5c57569dca489", "title": "Mustang Panda’s Hodur: Old tricks, new Korplug variant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1434803, "plain_text": "Mustang Panda’s Hodur: Old tricks, new Korplug variant\r\nBy Alexandre Côté Cyr\r\nArchived: 2026-04-05 23:11:47 UTC\r\nESET researchers discovered a still-ongoing campaign using a previously undocumented Korplug variant, which they\r\nnamed Hodur due to its resemblance to the THOR variant previously documented by Unit 42 in 2020. In Norse mythology,\r\nHodur is Thor’s blind half-brother, who is tricked by Loki into killing their half-brother Baldr.\r\nKey findings in this blogpost:\r\nAs of March 2022, this campaign is still ongoing and goes back to at least August 2021.\r\nKnown victims include research entities, internet service providers, and European diplomatic missions.\r\nThe compromise chain includes decoy documents that are frequently updated and relate to events in Europe.\r\nThe campaign uses a custom loader to execute a new Korplug variant.\r\nEvery stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation, which sets it\r\napart from other campaigns.\r\nESET researchers provide an in-depth analysis of the capabilities and commands of this new variant.\r\nVictims of this campaign are likely lured with phishing documents abusing the latest events in Europe such as Russia’s\r\ninvasion of Ukraine. This resulted in more than three million residents fleeing the war to neighboring countries, leading to\r\nan unprecedented crisis on Ukraine’s borders. One of the filenames related to this campaign is Situation at the EU borders\r\nwith Ukraine.exe.\r\nOther phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a\r\nRegulation of the European Parliament and of the Council. The last one is a real document available on the European\r\nCouncil’s website. This shows that the APT group behind this campaign is following current affairs and is able to\r\nsuccessfully and swiftly react to them.\r\nFigure 1. Countries affected by Mustang Panda in this campaign\r\nAffected countries:\r\nMongolia\r\nVietnam\r\nMyanmar\r\nGreece\r\nRussia\r\nCyprus\r\nSouth Sudan\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 1 of 16\n\nSouth Africa\r\nAffected verticals:\r\nDiplomatic missions\r\nResearch entities\r\nInternet service providers (ISPs)\r\nAnalysis\r\nBased on code similarities and the many commonalities in Tactics, Techniques, and Procedures (TTPs), ESET researchers\r\nattribute this campaign with high confidence to Mustang Panda (also known as TA416, RedDelta, or PKPLUG). It is a\r\ncyberespionage group mainly targeting governmental entities and NGOs. Its victims are mostly, but not exclusively, located\r\nin East and Southeast Asia with a focus on Mongolia. The group is also known for its campaign targeting the Vatican in\r\n2020.\r\nWhile we haven’t been able to identify the verticals of all victims, this campaign seems to have the same targeting objectives\r\nas other Mustang Panda campaigns. Following the APT’s typical victimology, most victims are located in East and\r\nSoutheast Asia, along with some in European and African countries. According to ESET telemetry, the vast majority of\r\ntargets are located in Mongolia and Vietnam, followed by Myanmar, with only a few in the other affected countries.\r\nMustang Panda’s campaigns frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and\r\nKorplug (also known as PlugX). The group has also been known to create its own Korplug variants. Compared to other\r\ncampaigns using Korplug, every stage of the deployment process utilizes anti-analysis techniques and control-flow\r\nobfuscation.\r\nThis blogpost contains a detailed analysis of this previously unseen Korplug variant used in this campaign. This activity is\r\npart of the same campaign recently covered by Proofpoint, but we provide additional historical and targeting information.\r\nToolset\r\nMustang Panda is known for its elaborate custom loaders and Korplug variants, and the samples used in this campaign\r\nshowcase this perfectly.\r\nCompromise chains seen in this campaign follow the typical Korplug pattern: a legitimate, validly signed, executable\r\nvulnerable to DLL search-order hijacking, a malicious DLL, and an encrypted Korplug file are deployed on the target\r\nmachine. The executable is abused to load the module, which then decrypts and executes the Korplug RAT. In some cases, a\r\ndownloader is used first to deploy these files along with a decoy document. This process is illustrated in Figure 2.\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 2 of 16\n\nFigure 2. Overview of the deployment process for the Hodur Korplug variant.\r\nWhat sets this campaign apart is the heavy use of control-flow obfuscation and anti-analysis techniques at every stage of the\r\ndeployment process. The following sections describe the behavior of each stage and take a deeper look at the defense\r\nevasion techniques used in each of them.\r\nInitial access\r\nWe haven’t been able to observe the initial deployment vector, but our analysis points to phishing and watering hole attacks\r\nas likely vectors. In instances where we saw a downloader, the filenames used suggest a document with an interesting\r\nsubject for the target. Such examples include:\r\nCOVID-19 travel restrictions EU reviews list of third countries.exe\r\nState_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.exe\r\nREGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.exe\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 3 of 16\n\nSituation at the EU borders with Ukraine.exe\r\nTo further the illusion, these binaries download and open a document that has the same name but with a .doc or .pdf\r\nextension. The contents of these decoys accurately reflect the filename. As shown in Figure 3, at least one of them is a\r\npublicly accessible legitimate document from the European Parliament.\r\nFigure 3. First page of the decoy document for the REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE\r\nCOUNCIL.exe downloader. It’s a real document available on the European Council’s website.\r\nDownloader\r\nAlthough its complexity has increased over the course of the campaign, the downloader is fairly straightforward. This\r\nincrease in complexity comes from additional anti-analysis techniques, which we cover later in this section.\r\nIt first downloads four files over HTTPS: a decoy document, a legitimate executable, a malicious module, and an encrypted\r\nKorplug file. The combination of those last three components to execute a payload via DLL side-loading is sometimes\r\nreferred to as a trident and is a technique commonly used by Mustang Panda, and with Korplug loaders in general. Both the\r\nserver addresses and file paths are hardcoded in the downloader executable. Once everything is downloaded, and the decoy\r\ndocument opened to distract the victim, the downloader uses the following command line to launch the legitimate\r\nexecutable:\r\ncmd /c ping 8.8.8.8 -n 70\u0026\u0026\"%temp%\\\u003clegitimate executable\u003e\"\r\nThis ping command both checks internet connectivity and introduces a delay (through the -n 70 option) before executing the\r\ndownloaded, legitimate executable.\r\nThe downloader uses multiple anti-analysis techniques, many of which are also used in the loader and final payload.\r\nAdditional obfuscation has been added to new versions over the course of the campaign without otherwise changing their\r\ngoal.\r\nIn early versions of the downloader, junk code and opaque predicates were used to hinder analysis, as shown in Figure 4, but\r\nthe server and filenames are plainly visible in cleartext.\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 4 of 16\n\nFigure 4. Control flow obfuscation in early versions of the downloader\r\nIn later versions, the files on the server are RC4 encrypted, using the base 10 string representation of the file size as the key,\r\nand then hex-encoded. This process is illustrated in the Python snippet below. The opposite operations are performed client-side by the downloader to recover the plaintext files. This is likely done to bypass network-level protections.\r\nfrom Crypto.cipher import ARC4\r\nkey = \"%d\" % len(plaintext)\r\nrc4 = ARC4.new(key)\r\ncipher_content = rc4.encrypt(plaintext).hex().upper()\r\nThese versions replace the use of cleartext strings with encrypted stack strings. They are still hardcoded in the file, but the\r\nobfuscation surrounding them, and the use of different keys, makes it hard to decrypt them statically in an automated\r\nmanner. This same technique is used heavily in the subsequent stages. Encrypted stack strings are also used to obfuscate\r\ncalls to Windows API functions.\r\nFirst, the name of the target function is decrypted and passed to a function. This function obtains a pointer to the\r\nInMemoryOrderModuleList field of the PEB (Process Environment Block). It then iterates over the loaded modules, passing\r\neach handle to GetProcAddress along with the function name until the target function is successfully resolved. Part of this\r\nprocess can be seen in Figure 5.\r\nFigure 5. Obfuscation of Windows API calls in the downloader. The screenshot shows a call to WriteFile, but the same\r\npattern is used for all API functions.\r\nLoader\r\nAs is common with Korplug, the loader is a DLL that exploits a side-loading vulnerability in a legitimate, signed executable.\r\nWe have observed many different applications being abused in this campaign, for instance a vulnerable SmadAV executable\r\npreviously seen by Qurium in a campaign attributed to Mustang Panda that targeted Myanmar.\r\nThe loader exports multiple functions. The exact list varies depending on the abused application, but in all cases, only one of\r\nthem does anything of consequence. In all of the loaders we observed, this is the exported function with the highest load\r\naddress. All the other exports, and the library’s entry point, either return immediately or execute some do-nothing junk code.\r\nMany of these exports have names that consist of random lowercase letters and point to the same address as shown in Table\r\n1.\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 5 of 16\n\nTable 1. Functions exported by a Hodur loader. The createSystemFontsUsingEDL export is the one that loads the final\r\nmalware stage in this version.\r\nName Ordinal Function RVA\r\nCreatePotPlayerExW 1 0x00007894\r\nRunPotPlayer 2 0x000166A5\r\ncreateSystemFontsUsingEDL 3 0x00016779\r\ngGegcerhwyvxtkrtyawvugo 4 0x00007894\r\nliucigvyworf 5 0x00007639\r\nojohjinbgdfqtcwxojeusoneslciyxtiyjuieaugadjpd 6 0x000077CA\r\nsoeevhiywsypipesxfhgxboleahfwvlqcqp 7 0x00007894\r\nsrkeqffanuhiuwahbmatdurggpffhbkcpukyxgxmosn 8 0x00007894\r\nthggvmrv 9 0x00007701\r\nThe loader function obtains the directory from which the DLL is running using GetModuleFileNameA and tries to open the\r\nencrypted Korplug file it contains. That filename is hardcoded in the loader. It reads the file’s contents into a locally\r\nallocated buffer and decrypts it. The loader makes this buffer executable using VirtualProtect before calling into it at offset\r\n0x00.\r\nWindows API function calls are obfuscated with a different technique than that used in the downloader. Unlike the loader,\r\nwhich contains the names of its functions (as shown in Table 1 above), only the 64-bit hashes of the Windows API function\r\ncalls are present in the binary. To resolve those functions, the loader traverses the export lists of all loaded libraries via the\r\nInMemoryOrderModuleList of the PEB. Each export’s name is hashed, then compared to the expected value. The FNV-1a\r\nhash algorithm, recently brought back into the mainstream by the Sunburst backdoor, has previously been used by Mustang\r\nPanda, in Korplug loaders documented by XORHEX, to resolve GetProcAddress and LoadLibraryA, although it was not\r\nidentified by name in that analysis. In this version, however, it is used for all API functions.\r\nKorplug backdoor\r\nKorplug (also known as PlugX) is a RAT used by multiple APT groups. In spite of it being so widely used, or perhaps\r\nbecause of it, few reports extensively describe its commands and the data it exfiltrates. Its functionality is not constant\r\nbetween variants, but there does seem to exist a significant overlap in the list of commands between the version we analyzed\r\nand other sources such as the Avira report from January 2020 and the plugxdecoder project on GitHub.\r\nAs previously mentioned, the variant used in this campaign bears many similarities to the THOR variant, which is why we\r\nhave named it Hodur. The similarities include the use of the Software\\CLASSES\\ms-pu registry key, the same format for\r\nC\u0026C servers in the configuration, and use of the Static window class.\r\nAs expected for Korplug payloads, this stage is only ever decrypted in memory by the loader. Only the encrypted version is\r\nwritten to disk in a file with a .dat extension.\r\nUnless stated otherwise, all hardcoded strings discussed in this section are stored as encrypted stack strings.\r\nIn this module, Windows API functions are obfuscated through a combination of the methods used in previous stages.\r\nLoadLibraryA and GetProcAddress are resolved via the FNV-1a hashing technique and stack strings are decrypted and\r\npassed to them to obtain the target function.\r\nLoading\r\nOnce decrypted, the payload is a valid DLL that exports a single function. In almost all observed samples from this\r\ncampaign, this function is named StartProtect. However, launching it directly via this export or its entry point will not\r\nexecute the main payload and the loading process is quite intricate.\r\nAs explained in the previous section, the file is decrypted in memory as a continuous blob by the loader and the execution\r\nstarts at offset 0x00. The PE header contains shellcode, shown in Figure 6, that calls a specific offset that corresponds to the\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 6 of 16\n\nmodule’s single export.\r\nFigure 6. Shellcode in the PE header that calls the exported function\r\nThis function parses the PE blob in memory and manually maps it as a library into a newly allocated buffer. This includes\r\nmapping the various sections, resolving imports and, finally, using DLL_PROCESS_ATTACH to call the DLL entry point.\r\nOnce again, opaque predicates and junk code are used to obfuscate the purpose of this function.\r\nThe entry point of the properly loaded library is then called with the non-standard value of 0x04 for the fdwReason\r\nparameter (only values from 0x00 to 0x03 are currently defined). This special value is required to get it to execute its main\r\npayload. This simple check prevents the RAT from being trivially executed directly with a generic tool like rundll32.exe.\r\nThe backdoor first decrypts its configuration using the string 123456789 as a repeating XOR key. Once decrypted, the\r\nconfiguration block starts with ########. The layout of the configuration varies slightly between samples, but they all\r\ncontain at least the following fields:\r\nInstallation directory name. Also used as the name of the registry key created for persistence. This value roughly\r\ncorresponds to the name of the abused application with three random letters appended (e.g., FontEDLZeP or\r\nAdobePhotosGQp)\r\nMutex name\r\nA value that is either a version or ID string\r\nList of C\u0026C servers. Each entry includes IP address, port number, and a number indicating the protocol to use with\r\nthat C\u0026C\r\nThe backdoor then checks the path from which it is running using GetModuleFileNameW. If this matches %userprofile%\\\r\n\u003cinstallation directory\u003e or %allusersprofile%\\\u003cinstallation directory\u003e, the RAT functionality will be executed. Otherwise, it\r\nwill go through the installation process.\r\nInstallation\r\nTo install itself, the malware creates the aforementioned directory under %allusersprofile%. Using SetFileAttributesW, it is\r\nthen marked as hidden and system. The vulnerable executable, loader module, and encrypted Korplug files are copied to the\r\nnew directory.\r\nNext, persistence is established. Earlier samples achieved this by creating a scheduled task to be run at boot via schtasks.exe.\r\nNewer samples add a registry entry to Software\\Microsoft\\Windows\\CurrentVersion\\Run, trying the HKLM hive first, then\r\nHKCU. This entry has the same name as the installation directory with its value set to the newly copied executable’s path.\r\nOnce persistence has been set up, the malware launches the executable from its new location and exits.\r\nRAT\r\nThe RAT functionality of the Hodur variant used in this campaign mostly lines up with other Korplug variants, with some\r\nadditional commands and characteristics. As we have previously stated, though, detailed analyses of Korplug commands are\r\nfew and far between, so we aim to provide such an analysis in the hopes of aiding future analysts.\r\nWhen in this mode, the backdoor iterates through the list of C\u0026C servers in its configuration until it reaches the end or\r\nreceives an Uninstall command. For each of those servers, it processes commands until it receives a Stop command or\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 7 of 16\n\nencounters an error.\r\nHodur’s initial handshake can be done over HTTPS or TCP. This is determined by a value in the configuration for that\r\nparticular C\u0026C server. Subsequent communication is always done over TCP using a custom protocol that we describe in this\r\nsection, along with the commands that can be issued. Hodur uses sockets from the Windows Sockets API (Winsock) that\r\nsupport overlapped I/O.\r\nFollowing the initial handshake, Hodur’s communications involve TCP messages that consist of a header, with the structure\r\ndescribed in Table 2, followed by a message body that is usually compressed using LZNT1 and always encrypted with RC4.\r\nMessages whose Command number header field have the 0x10000000 bit set (those that contain file contents for the\r\nReadFile and WriteFile commands, described in Table 3) have encrypted but not compressed message bodies. All encrypted\r\nmessage bodies use the hardcoded key sV!e@T#L$PH% with a four-byte random nonce (the value at offset 0x00 in the\r\nheader) appended to it.\r\nTable 2. Header format used for communication between the C\u0026C and the backdoor\r\nOffset Field Description\r\n0x00 Nonce Random nonce appended to the RC4 key.\r\n0x04\r\nCommand\r\nnumber\r\nThis field indicates the command to run or the command that caused this response to be\r\nsent.\r\n0x08 Length of body\r\nLength of the message body. It seems that this field isn’t checked by the client for\r\nmessages from the C\u0026C server.\r\n0x0C\r\nCommand exit\r\nstatus\r\nThe return or error value of the command that was run. This field is not checked by the\r\nclient in messages received from the C\u0026C server.\r\nHodur’s C\u0026C message headers are transmitted in the clear, followed by variably sized (the value at offset 0x08 of the\r\nheader) message bodies. The format of the message body varies per command, but once decrypted and decompressed,\r\nvalues of variable length (like strings) are always at a message body’s end and their offset in the body is stored as an integer\r\nin the corresponding message field.\r\nLike the version described by Avira, Hodur has two groups of commands – 0x1001 and 0x1002 – each with its own handler.\r\nThe C\u0026C server can set which group to listen for by sending the corresponding ID as the command number when a client is\r\nnot already in one of the two modes. It will continue to listen for the same group until it receives the Stop command, or an\r\nerror occurs (including receiving a message with an invalid Command number in its header).\r\nThe first group, 0x1001, contains commands for managing the execution of the backdoor and doing initial reconnaissance\r\non a newly compromised host. As these commands take no arguments, messages sent by the C\u0026C server consist only of the\r\nheaders. Table 3 contains a list of these commands. The GetSystemInfo command is described in more detail below. Note\r\nthat no command names are present in the RAT; they were either taken from previous analyses or provided by us.\r\nTable 3. Commands in group 0x1001\r\nID Name Description\r\nData in client\r\nresponse\r\n0x1000 Ping\r\nSent by the client when it starts listening for commands from\r\nthis group.\r\nBetween 0 and 64\r\nrandom bytes\r\n0x1001 GetSystemInfo Get information about the system. See Table 4\r\n0x1002 ListenThread Start a new thread that listens for group 0x1002 commands. None\r\n0x1004 ResetConnection Terminate with WSAECONNRESET. N/A\r\n0x1005 Uninstall\r\nDelete persistence registry keys, remove itself and created\r\nfolders.\r\nNone\r\n0x1007 Stop\r\nSet registry key\r\nSystem\\CurrentControlSet\\Control\\Network\\allow to 1 and exit.\r\nN/A\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 8 of 16\n\nThe GetSystemInfo command collects extensive information about the system, as detailed in Table 4. If it doesn’t already\r\nexist, the Software\\CLASSES\\ms-pu\\CLSID registry key is set to the current timestamp, trying HKLM first then HKCU.\r\nThe value of this key is then sent in the response.\r\nTable 4. Response body format for the GetSystemInfo response\r\nOffset Value Offset Value\r\n0x00 Magic bytes 0x20190301 0x38 Suite mask\r\n0x04 Client IP address of the C\u0026C socket 0x3A Product type\r\n0x08 Server IP address of the C\u0026C socket 0x3C 0x01 if the process is running as WOW64\r\n0x0C RAM in KB 0x40 System time – year\r\n0x10 CPU clock rate in MHz 0x42 System time – month\r\n0x14 Display width in pixels 0x44 Timestamp of first run (offset)\r\n0x18 Display height in pixels 0x46 Service pack version string (offset)\r\n0x1C Default locale 0x48 Unknown\r\n0x20 Current tick count 0x4A Username (offset)\r\n0x24 OS major version 0x4C Computer name (offset)\r\n0x28 OS minor version 0x4E Mutex name (offset)\r\n0x2C OS build number 0x50 Unknown\r\n0x30 OS platform ID 0x52 List of machine IP addresses (offset)\r\n0x34 Service pack major version 0x54 Always two 0x00 bytes\r\n0x36 Service pack minor version\r\nThe 0x1002 group contains commands that provide RAT functionality, as detailed in Table 5. Some of these take parameters\r\nprovided in the command’s message body. The FindFiles command is described in more detail below. Again, note that no\r\ncommand names are present in the RAT; they were either taken from previous analyses or provided by us.\r\nTable 5. Commands in group 0x1002\r\nID Name Description Data in C\u0026C request Data in client response\r\n0x1002 Ping\r\nSent by the client when it\r\nstarts listening for\r\ncommands from this group.\r\nN/A None\r\n0x3000 ListDrives\r\nList all mapped drives (A:\r\nto Z:) and their properties.\r\nAll 26 entries are sent back\r\nin one message body. Drives\r\nthat aren’t present have all\r\nfields set to 0x00.\r\nNone\r\nDrive type\r\nTotal size\r\nSpace available to\r\nuser\r\nFree space\r\nVolume name (offset)\r\nFile system name\r\n(offset)\r\n0x3001 ListDirectory List the contents of the\r\nspecified directory. The\r\nclient sends one response\r\nmessage per entry.\r\nDirectory path\r\nIs a directory?\r\nFile attributes\r\nFile size\r\nCreation time\r\nLast write time\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 9 of 16\n\nID Name Description Data in C\u0026C request Data in client response\r\nFilename (offset)\r\n8.3 filename (offset)\r\n0x3002 #rowspan#\r\nSent by the client when it\r\nhas finished executing the\r\nListDirectory command.\r\nN/A None\r\n0x3004 ReadFile\r\nRead a file in chunks of\r\n0x4000 bytes.\r\nCreation time\r\nLast access time\r\nLast write time\r\nHas offset\r\nOffset in file\r\nFile size\r\nFile path\r\n0x10003005 #rowspan# Chunk of read file data. N/A Read data\r\n0x10003006 #rowspan#\r\nSent by the client when it\r\nhas finished executing the\r\nReadFile command.\r\nN/A None\r\n0x3007 WriteFile\r\nWrite to a file and restore\r\nprevious timestamp.\r\nCreates parent directories if\r\nthey don’t exist.\r\nCreation time\r\nLast access time\r\nLast write time\r\nHas offset\r\nOffset in file\r\nFile path\r\n(offset)\r\nNone\r\n0x10003008 #rowspan#\r\nSent by the server with data\r\nto write to the file.\r\nData to write N/A\r\n0x10003009 #rowspan#\r\nSent by the server when the\r\nWriteFile operation is\r\ncomplete.\r\nNone N/A\r\n0x300A CreateDirectory Create a directory. Directory path None\r\n0x300B CanReadFile\r\nTry to open a file with read\r\npermissions.\r\nFile path None\r\n0x300C DesktopExecute\r\nExecute a command on a\r\nhidden desktop.\r\nCommand line to\r\nexecute\r\nPROCESS_INFORMATION\r\nstructure for the created\r\nprocess.\r\n0x300D FileOperation\r\nPerform a file operation\r\nusing SHFileOperation.\r\nwFunc\r\nfFlags\r\npFrom (offset)\r\npTo (offset)\r\nNone\r\n0x300E GetEnvValue\r\nGet the value of an\r\nenvironment variable.\r\nEnvironment variable Environment variable value.\r\n0x300F CreateProgramDataDir Creates the directory\r\n%SYSTEM%\\ProgramData,\r\nSubdirectory relative\r\npath (optional)\r\nNone\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 10 of 16\n\nID Name Description Data in C\u0026C request Data in client response\r\noptionally with a\r\nsubdirectory.\r\n0x3102 FindFiles\r\nRecursively search a\r\ndirectory for files matching\r\na given pattern.\r\nStarting\r\ndirectory\r\nSearch pattern\r\nSee response body format in\r\nTable 6.\r\n0x7002 RemoteShell\r\nStart an interactive remote\r\ncmd.exe session.\r\nNone None\r\n0x7003 #rowspan#\r\nResult of the last command\r\nrun.\r\nN/A Command output\r\nFindFiles command\r\nStarting from the provided directory, this command searches for files whose names match the given pattern. This pattern\r\nsupports the same wildcard characters as the Windows FindFirstFile API. For each matching file, the client sends a response\r\nmessage with its body in the format described in Table 6.\r\nTable 6. Format of the response body for the FindFiles command\r\nOffset Value Offset Value\r\n0x00 File attributes 0x24 Folder path (offset)\r\n0x04 File size in bytes 0x26 Filename (offset)\r\n0x0C Creation time 0x28 8.3 filename (offset)\r\n0x1C Last write time\r\nOne response message with an empty body is sent once the search is completed.\r\nConclusion\r\nThe decoys used in this campaign show once more how quickly Mustang Panda is able to react to world events. For\r\nexample, an EU regulation on COVID-19 was used as a decoy only two weeks after it came out, and documents about the\r\nwar in Ukraine started being used in the days following the beginning of the launch of the invasion. This group also\r\ndemonstrates an ability to iteratively improve its tools, including its signature use of trident downloaders to deploy Korplug.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nSHA-1 Filename ESET detection name Descr\r\n69AB6B9906F8DCE03B43BEBB7A07189A69DC507B coreclr.dll Win32/Agent.ADMW Korpl\r\n10AE4784D0FFBC9CD5FD85B150830AEA3334A1DE N/A Win32/Korplug.TC\r\nDecry\r\n(dump\r\nmemo\r\n69AB6B9906F8DCE03B43BEBB7A07189A69DC507B coreclr.dll Win32/Agent.ADMW Korpl\r\n4EBFC035179CD72D323F0AB357537C094A276E6D PowerDVD18.exe Win32/Delf.UTN Korpl\r\nFDBB16B8BA7724659BAB5B2E1385CFD476F10607 N/A Win32/Korplug.TB Decry\r\n(dump\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 11 of 16\n\nSHA-1 Filename ESET detection name Descr\r\nmemo\r\n7E059258CF963B95BDE479D1C374A4C300624986 N/A Win32/Korplug.TC\r\nDecry\r\n(dump\r\nmemo\r\n7992729769760ECAB37F2AA32DE4E61E77828547 SHELLSEL.ocx Win32/Agent.ADMW Korpl\r\nF05E89D031D051159778A79D81685B62AFF4E3F9 SymHp.exe Win32/Delf.UTN Korpl\r\nAB01E099872A094DC779890171A11764DE8B4360 BoomerangLib.dll Win32/Korplug.TH Korpl\r\nCDB15B1ED97985D944F883AF05483990E02A49F7 PotPlayer.dll Win32/Agent.ADYO Korpl\r\n908F55D21CCC2E14D4FF65A7A38E26593A0D9A70 SmadHook32.dll Win32/Agent.ADMW Korpl\r\n477A1CE31353E8C26A8F4E02C1D378295B302C9E N/A Win32/Agent.ADMW Korpl\r\n52288C2CDB5926ECC970B2166943C9D4453F5E92 SmadHook32c.dll Win32/Agent.ADMW Korpl\r\nCBD875EE456C84F9E87EC392750D69A75FB6B23A SHELLSEL.ocx Win32/Agent.ADMW Korpl\r\n2CF4BAFE062D38FAF4772A7D1067B80339C2CE82 Adobe_Caps.dll Win32/Agent.ADMW Korpl\r\n97C92ADD7145CF9386ABD5527A8BCD6FABF9A148 DocConvDll.dll Win32/Agent.ADYO Korpl\r\n39863CECA1B0F54F5C063B3015B776CDB05971F3 N/A Win32/Korplug.TD\r\nDecry\r\n(dump\r\nmemo\r\n0D5348B5C9A66C743615E819AEF152FB5B0DAB97 FontEDL.exe clean\r\nVulne\r\nlegitim\r\nFile G\r\nexecu\r\nC8F5825499315EAF4B5046FF79AC9553E71AD1C0 Silverlight.Configuration.exe clean\r\nVulne\r\nlegitim\r\nMicro\r\nSilver\r\nConfi\r\nUtility\r\nD4FFE4A4F2BD2C19FF26139800C18339087E39CD PowerDVDLP.exe clean\r\nVulne\r\nlegitim\r\nPowe\r\nexecu\r\n65898ACA030DCEFDA7C970D3A311E8EA7FFC844A Symantec.exe clean\r\nVulne\r\nlegitim\r\nSyma\r\nAntiV\r\nexecu\r\n7DDB61872830F4A0E6BF96FAF665337D01F164FC\r\nAdobe Stock Photos\r\nCS3.exe\r\nclean\r\nVulne\r\nlegitim\r\nStock\r\nexecu\r\nC13D0D669365DFAFF9C472E615A611E058EBF596\r\nCOVID-19 travel restrictions\r\nEU reviews list of third\r\ncountries.exe\r\nWin32/Agent_AGen.NJ Down\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 12 of 16\n\nSHA-1 Filename ESET detection name Descr\r\n062473912692F7A3FAB8485101D4FCF6D704ED23\r\nREGULATION OF THE\r\nEUROPEAN\r\nPARLIAMENT AND OF\r\nTHE COUNCIL.exe\r\nWin32/TrojanDownloader.Agent.GDL Down\r\n2B5D6BB5188895DA4928DD310C7C897F51AAA050 log.dll Win32/Agent.ACYW Korpl\r\n511DA645A7282FB84FF18C33398E67D7661FD663 2.exe Win32/Agent.ADPL Korpl\r\n59002E1A58065D7248CD9D7DD62C3F865813EEE6 log.dll Win32/Agent.ADXE Korpl\r\nF67C553678B7857D1BBC488040EA90E6C52946B3 KINGSTON.exe Win32/Agent.ADXZ Korpl\r\n58B6B5FD3F2BFD182622F547A93222A4AFDF4E76 PotPlayer.exe clean\r\nVulne\r\nlegitim\r\nexecu\r\nNetwork\r\nDomain IP First seen Notes\r\n103.56.53[.]120 2021‑06‑15 Korplug C\u0026C\r\n154.204.27[.]181 2020‑10‑05 Korplug C\u0026C.\r\n43.254.218[.]42 2021‑02‑09 Download server.\r\n45.131.179[.]179 2020‑10‑05 Korplug C\u0026C.\r\n176.113.69[.]91 2021-04-19 Korplug C\u0026C.\r\nupespr[.]com 45.154.14[.]235 2022-01-17 Download server.\r\nurmsec[.]com 156.226.173[.]23 2022‑02‑23 Download server.\r\n101.36.125[.]203 2021-06-01 Korplug C\u0026C.\r\n185.207.153[.]208 2022‑02‑03 Download server.\r\n154.204.27[.]130 2021-12-14 Korplug C\u0026C.\r\n92.118.188[.]78 2022-01-27 Korplug C\u0026C.\r\nzyber-i[.]com 107.178.71[.]211 2022-03-01 Download server.\r\nlocvnpt[.]com 103.79.120[.]66 2021-05-21\r\nDownload server. This domain was previously used in a 2020\r\ncampaign documented by Recorded Future.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 10 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nMustang Panda has registered domains for use as\r\ndownload servers.\r\nT1583.003\r\nAcquire Infrastructure: Virtual\r\nPrivate Server\r\nSome download servers used by Mustang Panda\r\nappear to be on shared hosting.\r\nT1583.004 Acquire Infrastructure: Server Mustang Panda uses servers that appear to be\r\nexclusive to the group.\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 13 of 16\n\nTactic ID Name Description\r\nT1587.001 Develop Capabilities: Malware\r\nMustang Panda has developed custom loader and\r\nKorplug versions.\r\nT1588.006\r\nObtain Capabilities:\r\nVulnerabilities\r\nMultiple DLL hijacking vulnerabilities are used in\r\nthe deployment process.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nMalicious payloads are hosted on the download\r\nservers.\r\nExecution\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nWindows command shell is used to execute\r\ncommands sent by the C\u0026C server.\r\nT1106 Native API Mustang Panda uses CreateProcess and\r\nShellExecute for execution.\r\nT1129 Shared Modules\r\nMustang Panda uses LoadLibrary to load\r\nadditional DLLs at runtime. The loader and RAT\r\nare DLLs.\r\nT1204.002 User Execution: Malicious File Mustang Panda relies on the user executing the\r\ninitial downloader.\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nThe downloader obtains and launches a vulnerable\r\napplication so it loads and executes the malicious\r\nDLL that contains the second stage.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nKorplug can persist via registry Run keys.\r\nT1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nKorplug can persist by creating a scheduled task\r\nthat runs on startup.\r\nDefense\r\nEvasion T1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe Korplug file is encrypted and only decrypted\r\nat runtime, and its configuration data is encrypted\r\nwith XOR.\r\nT1564.001\r\nHide Artifacts: Hidden Files\r\nand Directories\r\nDirectories created during the installation process\r\nare set as hidden system directories.\r\nT1564.003 Hide Artifacts: Hidden Window\r\nKorplug can run commands on a hidden desktop.\r\nMultiple hidden windows are used during the\r\ndeployment process.\r\nT1070 Indicator Removal on Host\r\nKorplug’s uninstall command deletes registry keys\r\nthat store data and provide persistence.\r\nT1070.004\r\nIndicator Removal on Host:\r\nFile Deletion\r\nKorplug can remove itself and all created\r\ndirectories.\r\nT1070.006\r\nIndicator Removal on Host:\r\nTimestomp\r\nWhen writing to a file, Korplug sets the file’s\r\ntimestamps to their previous values.\r\nT1036.004 Masquerading: Masquerade\r\nTask or Service\r\nScheduled tasks created for persistence use\r\nlegitimate-looking names.\r\nT1036.005 Masquerading: Match\r\nLegitimate Name or Location\r\nFile and directory names match expected values\r\nfor the legitimate app that is abused by the loader.\r\nT1112 Modify Registry\r\nKorplug can create, modify, and remove registry\r\nkeys.\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 14 of 16\n\nTactic ID Name Description\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nSome downloaded files are encrypted and stored\r\nas hexadecimal strings.\r\nT1027.005\r\nObfuscated Files or\r\nInformation: Indicator Removal\r\nfrom Tools\r\nImports are hidden by dynamic resolution of API\r\nfunction names.\r\nT1055.001\r\nProcess Injection: Dynamic-link Library InjectionSome versions of the Korplug loader inject the\r\nKorplug DLL into a newly launched process.\r\nT1620 Reflective Code Loading Korplug parses and loads itself into memory.\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nKorplug can list files and directories along with\r\ntheir attributes and content.\r\nT1082 System Information Discovery\r\nKorplug collects extensive information about the\r\nsystem including uptime, Windows version, CPU\r\nclock rate, amount of RAM and display resolution.\r\nT1614 System Location Discovery\r\nKorplug retrieves the system locale using\r\nGetSystemDefaultLCID.\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nKorplug collects the system hostname and IP\r\naddresses.\r\nT1016.001\r\nSystem Network Configuration\r\nDiscovery: Internet Connection\r\nDiscovery\r\nThe downloader pings Google’s DNS server to\r\ncheck internet connectivity.\r\nT1033 System Owner/User Discovery Korplug obtains the current user’s username.\r\nT1124 System Time Discovery\r\nKorplug uses GetSystemTime to retrieve the\r\ncurrent system time.\r\nCollection\r\nT1005 Data from Local System\r\nKorplug collects extensive data about the system\r\nit’s running on.\r\nT1025 Data from Removable Media\r\nKorplug can collect metadata and content from all\r\nmapped drives.\r\nT1039\r\nData from Network Shared\r\nDrive\r\nKorplug can collect metadata and content from all\r\nmapped drives.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nKorplug can make the initial handshake over\r\nHTTPS.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nC\u0026C communication is done over a custom TCP-based protocol.\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nC\u0026C communication is encrypted using RC4.\r\nT1008 Fallback Channels\r\nThe Korplug configuration contains fallback C\u0026C\r\nservers.\r\nT1105 Ingress Tool Transfer\r\nKorplug can download additional files from the\r\nC\u0026C server.\r\nT1571 Non-Standard Port\r\nWhen Hodur performs its initial handshake over\r\nHTTPS, it uses the same port (specified in the\r\nconfiguration) as for the rest of the\r\ncommunication.\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 15 of 16\n\nTactic ID Name Description\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nKorplug compresses transferred data using\r\nLZNT1.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nData exfiltration is done via the same custom\r\nprotocol used to send and receive commands.\r\nSource: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nhttps://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/\r\nPage 16 of 16\n\nAB01E099872A094DC779890171A11764DE8B4360 CDB15B1ED97985D944F883AF05483990E02A49F7 BoomerangLib.dll PotPlayer.dll Win32/Korplug.TH Win32/Agent.ADYO Korpl Korpl\n908F55D21CCC2E14D4FF65A7A38E26593A0D9A70 SmadHook32.dll Win32/Agent.ADMW Korpl\n477A1CE31353E8C26A8F4E02C1D378295B302C9E N/A Win32/Agent.ADMW Korpl\n52288C2CDB5926ECC970B2166943C9D4453F5E92 SmadHook32c.dll Win32/Agent.ADMW Korpl\nCBD875EE456C84F9E87EC392750D69A75FB6B23A SHELLSEL.ocx Win32/Agent.ADMW Korpl\n2CF4BAFE062D38FAF4772A7D1067B80339C2CE82 Adobe_Caps.dll Win32/Agent.ADMW Korpl\n97C92ADD7145CF9386ABD5527A8BCD6FABF9A148 DocConvDll.dll Win32/Agent.ADYO Korpl\n Decry\n39863CECA1B0F54F5C063B3015B776CDB05971F3 N/A Win32/Korplug.TD (dump\n memo\n Vulne\n legitim\n0D5348B5C9A66C743615E819AEF152FB5B0DAB97 FontEDL.exe clean \n File G\n execu\n Vulne\n legitim\n Micro\nC8F5825499315EAF4B5046FF79AC9553E71AD1C0 Silverlight.Configuration.exe clean \n Silver\n Confi\n Utility\n Vulne\n legitim\nD4FFE4A4F2BD2C19FF26139800C18339087E39CD PowerDVDLP.exe clean \n Powe\n execu\n Vulne\n legitim\n65898ACA030DCEFDA7C970D3A311E8EA7FFC844A Symantec.exe clean Syma\n AntiV\n execu\n Vulne\n Adobe Stock Photos legitim\n7DDB61872830F4A0E6BF96FAF665337D01F164FC clean \n CS3.exe Stock\n execu\n COVID-19 travel restrictions \nC13D0D669365DFAFF9C472E615A611E058EBF596 EU reviews list of third Win32/Agent_AGen.NJ Down\n countries.exe \n Page 12 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/" ], "report_names": [ "mustang-panda-hodur-old-tricks-new-korplug-variant" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434025, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c659b44a020fb13843950889b8c5c57569dca489.pdf", "text": "https://archive.orkl.eu/c659b44a020fb13843950889b8c5c57569dca489.txt", "img": "https://archive.orkl.eu/c659b44a020fb13843950889b8c5c57569dca489.jpg" } }