{ "id": "ba7b442c-8999-4307-b335-fb48b67cde5c", "created_at": "2026-04-06T00:18:46.803566Z", "updated_at": "2026-04-10T03:36:06.544186Z", "deleted_at": null, "sha1_hash": "c7cb920d38e8f56bcb66a9efad21667070ffda68", "title": "DiceyF deploys GamePlayerFramework in online casino development studio", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 510104, "plain_text": "DiceyF deploys GamePlayerFramework in online casino development\r\nstudio\r\nBy Kurt Baumgartner\r\nPublished: 2022-10-17 · Archived: 2026-04-05 17:20:11 UTC\r\nThe Hacktivity 2022 security festival was held at the MOM Cultural Center in Budapest, Hungary, over two days, October\r\n6-7th 2022. One of several presentations by our GReAT researchers included an interesting set of APT activity targeting\r\nonline casino development and operations environments in Southeast Asia. A recorded video of the presentation is already\r\nonline. You can watch it here:\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nAll of our research, including a full set of IoCs and Yara rules, is written up in the two-part report “DiceyF Deploys\r\nGamePlayerFramework in Online Casino Development Studio”, already available to our private report subscribers. Some\r\ntechnical analysis from the report is provided here, along with a reference set of IoCs. You can find more information about\r\ntrial and pay report subscription options at intelreports@kaspersky.com.\r\nWho is at the table\r\nWe call this APT “DiceyF”. They have been targeting online casinos and other victims in Southeast Asia reportedly for years\r\nnow. Our research shows overlap with LuckyStar PlugX, a supply chain incident privately reported. TTPs, secure messaging\r\nclient abuse, malware, and targeting demonstrate that this set of activity and resources align with Earth\r\nBerberoka/GamblingPuppet activity discussed at Botconf 2022 by Trend Micro researchers, also discussed as an unknown\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 1 of 11\n\nor developing cluster by other vendors. Prior to “Operation Earth Berberoka”, Trend Micro reported on “Operation\r\nDRBControl”, which also aligns with this activity and resource set.\r\nSo, do we have another Ocean’s Eleven Clooney-Pitt duo targeting the largest casinos for shocking levels of criminality,\r\nrevenge, and theft? No we don’t. In the related DiceyF incident that we report on, there was no evidence observed to date of\r\nimmediate financial motivation or cash theft. Instead, previous incidents reported by TrendMicro researchers have exhibited\r\ncustomer PII database exfiltration and source code theft. Possibly we have a mix of espionage and IP theft, but the true\r\nmotivations remain a mystery.\r\nRolling the dice\r\nAn interesting combination of detections and characteristics sparked interest in this activity. These data points included\r\nPlugX installers signed by a potentially stolen digital certificate from a secure messaging client development studio\r\nMalware distribution via an employee monitoring system and a security package deployment service\r\nUnusual .NET code signed with the same potentially stolen certificate and calling back to the same domain as the\r\nPlugX C2\r\nIn November 2021, multiple PlugX loaders and payloads were detected in a network, which is often a wearisome topic to\r\ninvestigate. However, this time, the PlugX installer triad was deployed via two methods as an executable signed with a\r\nlegitimate digital certificate — an employee monitoring service and a security package deployment service. This legitimate\r\ndigital certificate appeared to have been stolen from a development and build studio for a secure messaging client. These\r\nPlugX payloads communicated with a C2 at apps.imangolm[.]com. Not much later, this same security package deployment\r\nservice was used to push GamePlayerFramework downloaders, with these downloaders communicating with the same C2,\r\nand signed with the same digital certificate.\r\nFurther research revealed a targeting profile suggesting an online casino development studio, and later, recruited/outsourced\r\ndevelopment systems on disparate networks. Waves of .NET downloader deployments followed and coincided with the\r\nPlugX deployments, signed by the same digital certificate.\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 2 of 11\n\nThese downloaders maintained PDB strings with “PuppetLoader” filepaths. These PuppetLoader strings pretty clearly\r\nconnected the multistage loaders with past PuppetLoader downloaders, only this time, redesigned and rewritten in C#. Past\r\nPuppetLoaders, written in C++, maintain explicit strings:\r\nThe new .NET code maintains similar strings, reflecting the previous codebase from several years ago.\r\nWhile these findings were being analyzed and reported, the folks from Trend Micro reported on GamblingPuppet/Earth\r\nBerberoka at Botconf, and we are confident that this DiceyF GamePlayerFramework activity is a subsequent campaign with\r\na newly developed core malware set. This APT, DiceyF, aligns the previously reported GamblingPuppet and Operation\r\nDRBControl resources and activity, which we also observed in earlier data as well:\r\nPlugX and PuppetLoader multistage loader\r\nOnline casino targeting in Southeast Asia\r\nLack of evidence presenting a financial motivation (Trend Micro observed customer database and source code\r\nexfiltration in Operation DRBControl)\r\nChinese language in use, particularly GamePlayerFramework error strings and plugin names and paths\r\nData theft focus for backdoors includes keystrokes and clipboard\r\nStolen digital certificate re-use\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 3 of 11\n\nObscure secure messaging client as delivery vehicle for malware and cloak for malicious activity\r\nGamePlayerFramework is a complete C# rewrite of the previously mentioned PuppetLoader C++/assembly malware. This\r\n“framework” includes downloaders, launchers, and a set of plugins that provide remote access and steal keystrokes and\r\nclipboard data. The newer (summer 2022) executables are mostly all 64-bit .NET compiled with .NET v4.5.1, but some are\r\n32-bit, or DLLs and compiled with .NET v4.0. There are at least two branches to this framework, “Tifa” and “Yuna”, and\r\nboth branches maintain new modules, incrementally modified over time:\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Tifa\\*.pdb\r\nC:\\Users\\fucker\\Desktop\\Fucker\\GamePlayerFramework\\Tifa\\*.pdb\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\*.pdb\r\nFinalFantasy code quirks\r\nPlayers may be familiar with the FinalFantasy game series, where Tifa and Yuna are two of the main characters. The Tifa\r\nand Yuna branches are different from one another: the Tifa branch includes only a downloader and a “core” module; the\r\nYuna branch includes a downloader, plugins, and various PuppetLoader components, at least a dozen in total. Even the\r\ndownloaders are fairly different from one another. As a matter of fact, the Yuna.Downloader code changes quite a bit over\r\ntime, including with JSON parsing, logging, and encryption capabilities. Ongoing code development is on display here.\r\nThe Tifa branch of code was deployed to victims first in November 2021, and these Tifa downloaders maintain more\r\nprimitive functionality than the later Yuna downloaders. Additionally, it appears that code-signing coordination was not well\r\norganized in November. Except for one Tifa executable that was signed, two of the three Tifa downloaders were unsigned\r\ncode, unlike the Yuna downloaders.\r\nThe initial Tifa downloaders were already using “Mango” and “Mongo” function names just like artifacts found in Yuna\r\ndownloaders, along with the aforementioned apps.imangolm[.]com C2 used by the PlugX implant. Later Yuna downloaders\r\nwere distributed with the filename “mango.exe”. Two of the Tifa.Downloader variants introduced a “DownloaderVersion”\r\nstring, likely for the attackers to maintain backwards compatibility on the server side. Some later Yuna.Downloader variants\r\nincrease in functionality and complexity, but multiple early variants and the Tifa branch are quite simple.\r\nLoading the framework\r\nOnce downloaded and persistence set up, multiple components load the framework. The overall process of loading the\r\nframework can be summarized with the following graph:\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 4 of 11\n\nThis load sequence results in running the “Launcher” component. Despite the name, the main functionality of this module is\r\nnot to perform launching. Instead, it is the orchestrator of the framework, i.e. it manages all the framework components.\r\nAfter completing the startup process, the orchestrator starts sending heartbeat packets to the C2 server every 20 seconds.\r\nEach such packet is a XOR-encrypted JSON object that contains the following information:\r\nUsername of the logged-in user\r\nCurrent user session status (locked or unlocked)\r\nSize of logs collected by the clipboard recorder plugin\r\nCurrent date and time\r\nThe C2 responds with one of fifteen commands.\r\nCommand name Command arguments Description\r\nPluginKeepAlive,\r\nKeepAlive\r\nN/A\r\nUpdates an internal timestamp with the last C2 response\r\ntime\r\nPluginDestory [sic] N/A Shuts down the framework\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 5 of 11\n\nGetSystemInfo N/A\r\nRetrieves various system information, namely:\r\nLocal network IP addresses\r\nAvailable privileges (SYSTEM, administrator or\r\nnormal user)\r\nNetwork protocol used for C2 communication\r\n(hardcoded to Tcpv4 in all discovered samples)\r\nFramework version (in format yyyymmdd.xx, e.g.\r\n20220506.00)\r\nDownloader module version\r\nCPU name\r\nAvailable RAM\r\nOperating system version\r\nAddress of the C2 server that is in use\r\nSize of clipboard recorder logs\r\nInstalled security solution\r\nBIOS serial number\r\nMAC addresses\r\nMachine boot time\r\nFastCmd\r\nCommand: command to be\r\nexecuted\r\nAllows execution of shell commands; this command\r\ncreates a new cmd.exe process with redirected standard\r\ninput and output and sends commands to it; the output of\r\nexecuted commands is sent back to the C2 server\r\nGetDomainSetting N/A\r\nSends the list of C2 servers specified in the configuration\r\nto the current C2 server\r\nSetDomainSetting\r\nDomainConfig: IP addresses\r\nand ports of new C2 servers\r\nUpdates the list of C2 servers in the configuration by\r\nwriting new C2 server addresses to the file\r\nC:\\ProgramData\\NVIDIA\\DConfig\r\nGetRemotePluginInfo\r\nPluginName: name of an\r\ninstalled plugin\r\nRetrieves the version of a locally installed plugin\r\nRunPlugin\r\nPluginName: name of the\r\nplugin to be launched\r\nSessionId: ID of the session\r\ninside which the plugin is to\r\nbe launched\r\nDownloads a plugin from the C2 server and launches it\r\nDeleteGuid N/A\r\nRemoves the infection from the machine by creating a\r\nbatch file that removes all files dropped by the framework\r\ninstaller except for rascustoms.dll; after performing\r\nremoval, the batch file deletes itself\r\nFastDownload\r\nFilePath: path of the file to be\r\nuploaded\r\nUploads a file from the victim machine\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 6 of 11\n\nCachePlugin\r\nPluginName: name of the\r\nplugin\r\nPluginVersion: version of the\r\nplugin\r\nDownloads a plugin from the C2 server but does not\r\nlaunch it\r\nInstallPlugin\r\nPluginName: name of the\r\nplugin to be launched\r\nWaitForExitTimeout: timeout\r\ninterval\r\nLaunches a plugin on the victim machine, waiting until the\r\nplugin process finishes; in case of a timeout, the\r\norchestrator kills the plugin process\r\nRemoteInject\r\nSubMsg: a string equal to\r\neither RunVirtualDesktop or\r\nDestoryVirtualDesktop [sic]\r\nEither starts (if SubMsg is RunVirtualDesktop) or stops (if\r\nSubMsg is DestoryVirtualDesktop) the VirtualDesktop\r\nplugin\r\nChromeCookie\r\nSubMsg: a string equal to\r\neither RunChromeCookie or\r\nGetCookiePath\r\nIf SubMsg is RunChromeCookie, launches the\r\nChromeCookie plugin; if the argument string is\r\nGetCookiePath, returns the path where Chrome cookies\r\nare stored\r\nFirefoxCookie\r\nSubMsg: a string equal to\r\neither RunFirefoxCookie or\r\nGetCookiePath\r\nIf SubMsg is RunFirefoxCookie, launches the\r\nFirefoxCookie plugin; if the argument string is\r\nGetCookiePath, returns the path where Firefox cookies are\r\nstored\r\nPlugins overview\r\nPlugins are EXE files that execute most of the framework’s malicious activities. Plugins can be configured to be\r\ndownloaded from the C2 server when the framework starts up or is loaded at any other time using one of the commands\r\nabove. During its execution, a plugin may connect to the C2 server and receive commands from it. Information about\r\nrunning plugins is stored in the C:\\ProgramData\\NVIDIA\\DisplaySessionContainer1.ini file.\r\nAll plugins of the framework are stored in a fileless way. Whenever a plugin is downloaded from the C2 server, it is loaded\r\ninto the framework with the following procedure:\r\nThe orchestrator selects a random port from 10000 to 20000 and launches a local TCP socket server on it.\r\nThe orchestrator creates a new svchost.exe process in suspended mode and injects the api-ms-win-core-sys-l1-0-5.dll\r\nlibrary mentioned in the “Loading the Framework” section.\r\nThe injected library loads the PuppetLoader.Downloader component with the following arguments: -LoadName\r\n\u003cplugin name\u003e -PacketId \u003cinternal ID of the network packet with the plugin payload\u003e -Port \u003cserver port generated at\r\nthe first step\u003e.\r\nThe Yuna.PuppetLoader.Downloader component downloads the plugin executable from the local TCP server and\r\nloads it using Load.\r\nThe strings of the orchestrator component reference the following plugin names:\r\nPlugin.采集系统 (Acquisition System)\r\nPlugin.隐藏进程 (Hidden Process)\r\nPlugin.SSH\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 7 of 11\n\nPlugin.常用功能插件 (General Purpose Plugin)\r\nPlugin.SessionCmd\r\nPlugin.端口转发 (Port Forwarding)\r\nPlugin.屏幕传输 (Screen Transfer)\r\nPlugin.虚拟桌面 (Virtual Desktop)\r\nPlugin.剪贴板 (Clipboard)\r\nPlugin.ChromeCookie\r\nPlugin.FirefoxCookie\r\nWhile tracking deployments of GamePlayerFramework, we observed several plugins out of the list above being used:\r\nGeneral Purpose Plugin, Clipboard and Virtual Desktop.\r\nMalicious app with graphical interface\r\nThe application deployed through installation packages of security solutions was designed to mimic an application that\r\nsynchronizes data of the Mango messaging application. Below is the window displayed to the victim when this application\r\nstarts:\r\nWindow of the malicious “Mango Employee Account Data Synchronizer”\r\nIn order to make the victim user trust the malicious window, the attackers employed social engineering. As can be seen from\r\nthe screenshot above, they included the name of the victim organization and even the floor where the organization’s IT\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 8 of 11\n\ndepartment is located. At the same time, the visible window makes this application less suspicious to security solutions.\r\nWhen started, this application:\r\nConnects to the C2 server via a TCP socket. The address and port of the server is specified in the binary. In case\r\nconnection fails, the application displays a message window with the “无法连接到芒果员工数据同步服务器! 请反\r\n馈至IT部门!” text (“Unable to connect to Mango employee data synchronization server! Please report back to the IT\r\ndepartment”).\r\nSends the following information to the C2 server:\r\nVersion of the installed Mango messenger\r\nMachine name\r\nCurrent username\r\nOperation system version\r\nList of local IPv4 addresses\r\nReceives a JSON object containing a Boolean value named IsErrorMachine. If it is set to true, the application\r\ndisplays a message window with the “尚未认证的机器, 请到10楼的IT部添加机器认证” text (“Machines that have\r\nnot been certified, please go to the IT department on the 10th floor to add machine certification”) and exits.\r\nLaunches the exe executable located inside the same directory as the application. The internal name of this file is\r\nYuna.Downloader.\r\nThe code is under continuous incremental change and its versioning reflects a semi-professional management of the\r\ncodebase modifications. Over time, the group added Newtonsoft JSON library support, enhanced logging, and encryption\r\nfor logging.\r\nInfrastructure\r\nDomain IP First seen ASN\r\napps.imangolm[.]com 202.182.115.238 20211106 20473, AS-CHOOPA\r\nquic.flashesplayer[.]com 202.182.115.238 2021-11-10 20473, AS-CHOOPA\r\narchivess.imangoim[.]net 45.77.47.149 20220506 20473, AS-CHOOPA\r\nAs described above, much of the early implants’ (both PlugX and the downloaders) communications activity calls back to\r\ninfrastructure by resolving FQDN for infrastructure located in Southeast Asia. Later into April 2022, some of the\r\nYuna.Downloaders began communicating directly with a hardcoded IP address.\r\nConclusion\r\nThere are many interesting characteristics of DiceyF campaigns and TTPs. The group modifies their codebase over time, and\r\ndevelops functionality in the code throughout their intrusions.\r\nOrganizations need to maintain solid efforts in monitoring software deployed across their organizations. The deployment\r\nsystems themselves and the deployment process require heightened monitoring and maintenance: what gets deployed, when\r\nit gets deployed, and whose credentials are being used. The systems themselves need to be hardened and security products\r\ninstalled and updated.\r\nGamePlayerFramework enabled DiceyF, the actor behind this framework, to perform cyberespionage activities with some\r\nlevel of stealth. The initial infection method is noteworthy in that the framework is distributed via installation packages\r\ndeployed through security solution control centers. Furthermore, the components of this framework are signed with a digital\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 9 of 11\n\ncertificate that makes the framework more trusted by security solutions. In order to further disguise the malicious\r\ncomponents, attackers added a graphical interface to some of them. Such implants are masqueraded as components of a\r\nmessenger that is used at the victim organizations. To make sure that victims did not become suspicious of the disguised\r\nimplants, attackers obtained information about targeted organizations (such as the floor where the organization’s IT\r\ndepartment is located) and included it inside graphic windows displayed to victims. They also used service names, file paths,\r\ndigital signing certificates, and other artifacts from NVIDIA, Mango, and other legitimate software. Plugins of\r\nGamePlayerFramework allow extensive monitoring of victim machines. For example, they are able to monitor keystrokes\r\nand the clipboard, browse websites located inside the organization’s local network, or establish virtual desktop sessions. And\r\nover the course of several months, DiceyF developers added more encryption capabilities to better hide their logging and\r\nmonitoring activities. In the future, we expect to see an increase in the number of plugins and observe more unusual defense\r\nevasion methods in this framework.\r\nFinally, the deployment tactic used here isn’t quite as sophisticated as infecting an external component of the supply chain\r\nitself, but can be extremely effective.\r\nIOCs\r\nMD5\r\nTifa.Downloader\r\nddbc9081ed2c503c5e4512a8e61b5389\r\nTifa.Core\r\n49b457ee8eaa83b18cc00d2f579824c6\r\nYuna.Downloader\r\n06711900cc5d7cd665bc1b6ec9d7eacf\r\n1d59e527886e4bd72df0f609239b9d58\r\nYuna.Downloader and Yuna.Launcher containing legitimate Newtonsoft DLL\r\n0c4dae01f21c3d2fa55f38314fe34958\r\n39736c93f7d9cc62cdc00438c174f8a4\r\nYuna.Launcher\r\n07d6bf2df064e97d0e635a67f083f87d\r\n0ac4e0e08bd28e88acd4991071c98261\r\nYuna.Plugin.General\r\ncb8a30fcbcb462be66462f6928c6e44a\r\nYuna.Plugin.ClipboardRecorder\r\n294c22533c950d7d9d74a82729ba3841\r\nYuna.PuppetLoader.CodeLauncher\r\n07ff76be283fb44ce9e9427e12e63aa6\r\nYuna.PuppetLoader.Guard\r\n031466c63bba4eafb11f2966e765c0d2\r\nYuna.PuppetLoader.Downloader\r\n0c4dae01f21c3d2fa55f38314fe34958\r\n19f8809d04c06bba2ad95a937f133a89\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 10 of 11\n\nYuna.PuppetLoader.ProcessLoader\r\n969ef4a64203ba2ab54a6822559600cc\r\nYuna.Downloader.DLL.Core\r\n56836b19b5c35c81e006f4843ff63e51\r\nMango.Sync.Updater\r\n3a1780e6fb6250b0fb63d2884788670e\r\n4d72e573d9c4d31371c8020ba7179daf\r\nVPN spoofing DLL\r\n193d192ed0cec2487d18b13aedc94cb6\r\nrascustoms.dll\r\n2bd3b84b318beb5714cac9194078607a\r\nDomains\r\napps.imangolm[.]com\r\narchivess.imangoim[.]net\r\nPDB paths\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\Yuna.Downloader\\obj\\Release\\Yuna.Downloader.pdb\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\Yuna.Launcher\\obj\\Release\\Yuna.Launcher.pdb\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\Yuna.Plugin.ClipboardRecorder\\obj\\Release\\Yuna.Plugin.ClipboardRecorder.pdb\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\Yuna.Plugin.General\\obj\\Release\\Yuna.Plugin.General.pdb\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\Yuna.Plugin.Installer\\obj\\Release\\Yuna.Plugin.Installer.pdb\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\Yuna.PuppetLoader.CodeLauncher\\obj\\Release\\VpnSohDesktop.pdb\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\Yuna.PuppetLoader.Downloader\\obj\\Release\\Yuna.PuppetLoader.Downloader.pdb\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\Yuna.PuppetLoader.Guard\\obj\\Release\\Yuna.PuppetLoader.Guard.pdb\r\nD:\\Code\\Fucker\\GamePlayerFramework\\Yuna\\Yuna.PuppetLoader.ProcessLoader\\obj\\Release\\Yuna.PuppetLoader.ProcessLoader.p\r\nSource: https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nhttps://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/" ], "report_names": [ "107723" ], "threat_actors": [ { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "98ba5aeb-dbe4-4388-b187-1b90bb9891ff", "created_at": "2023-11-10T02:00:07.508066Z", "updated_at": "2026-04-10T02:00:03.439837Z", "deleted_at": null, "main_name": "DiceyF", "aliases": [], "source_name": "MISPGALAXY:DiceyF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434726, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7cb920d38e8f56bcb66a9efad21667070ffda68.pdf", "text": "https://archive.orkl.eu/c7cb920d38e8f56bcb66a9efad21667070ffda68.txt", "img": "https://archive.orkl.eu/c7cb920d38e8f56bcb66a9efad21667070ffda68.jpg" } }