{ "id": "f178b62e-f1ef-459c-b8ed-5d8365df4e26", "created_at": "2026-04-06T00:11:48.471894Z", "updated_at": "2026-04-10T03:35:32.985847Z", "deleted_at": null, "sha1_hash": "c99f2f7f66f4ef1cb00a86dd05c37e24a119d35f", "title": "New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 372361, "plain_text": "New ShroudedSnooper actor targets telecommunications firms in\r\nthe Middle East with novel Implants\r\nBy Asheer Malhotra\r\nPublished: 2023-09-19 · Archived: 2026-04-02 10:41:21 UTC\r\nTuesday, September 19, 2023 08:00\r\nCisco Talos recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against\r\ntelecommunications providers in the Middle East.\r\nHTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with\r\nWindows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and\r\nexecute that content on the infected endpoint.\r\nWe also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept\r\narbitrary shellcode from a named pipe and execute it on the infected endpoint.\r\nWe identified DLL- and EXE-based versions of the implants that masquerade as legitimate security\r\nsoftware components, specifically extended detection and response (XDR) agents, making them difficult to\r\ndetect.\r\nWe assess with high confidence that both implants belong to a new intrusion set we’re calling\r\n“ShroudedSnooper.” Based on the HTTP URL patterns used in the implants, such as those mimicking\r\nMicrosoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits\r\ninternet-facing servers and deploys HTTPSnoop to gain initial access.\r\nThis activity is a continuation of a trend we have been monitoring over the last several years in which\r\nsophisticated actors are frequently targeting telecoms. This sector was consistently a top-targeted industry\r\nvertical in 2022, according to Cisco Talos Incident Response data.\r\nShroudedSnooper activity highlights latest threat to telecommunications entities\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 1 of 11\n\nThis specific cluster of implants involving HTTPSnoop and PipeSnoop and associated tactics, techniques, and\r\nprocedures (TTPs) do not match a known group that Talos tracks. We are therefore attributing this activity to a\r\ndistinct intrusion set we’re calling “ShroudedSnooper.”\r\nIn recent years, there have been many instances of state-sponsored actors and sophisticated adversaries targeting\r\ntelecommunications organizations around the world. In 2022, this sector was consistently a top-targeted vertical in\r\nTalos IR engagements. Telecommunications companies typically control a vast number of critical infrastructure\r\nassets, making them high-priority targets for adversaries looking to cause significant impact. These entities often\r\nform the backbone of national satellite, internet and telephone networks upon which most private and government\r\nservices rely. Furthermore, telecommunications companies can serve as a gateway for adversaries to access other\r\nbusinesses, subscribers or third-party providers.\r\nOur IR findings are consistent with reports from other cybersecurity firms outlining various attack campaigns\r\ntargeting telecommunications companies globally. In 2021, CrowdStrike disclosed a years-long campaign by the\r\nLightBasin (UNC1945) advanced persistent threat (APT) targeting 13 telecommunications companies globally\r\nusing Linux-based implants to maintain long-term access in compromised networks. That same year, McAfee\r\ndiscovered activity targeting telecommunication firms in Europe, the U.S. and Asia dubbed “Operation Diànxùn”\r\nlinked to the Chinese APT group MustangPanada (RedDelta). This campaign heavily relied on the PlugX malware\r\nimplant. Also in 2021, Recorded Future reported that four distinct Chinese state-sponsored APT groups were\r\ntargeting the email servers of a telecommunications firm in Afghanistan, again using the PlugX implant.\r\nThe targeting of telecommunications firms in middle-east Asia is also quite prevalent. In January 2021, Clearsky\r\ndisclosed the “Lebanese Cedar” APT leveraging web shells and the “Explosive” RAT malware family to target\r\ntelecommunication firms in the U.S., U.K. and middle-east Asia. In a separate campaign, Symantec noted the\r\nMuddyWater APT targeting telecommunication organizations in the Middle East, deploying web shells on\r\nExchange Servers to instrument script-based malware and dual-use tools to carry out hands-on-keyboard activity.\r\nMasquerading as a security component\r\nWe also discovered both HTTPSnoop and PipeSnoop masquerading as components of Palo Alto Networks’ Cortex\r\nXDR application. The malware executable is named “CyveraConsole.exe,” which is the application that contains\r\nthe Cortex XDR agent for Windows. The variants of both HTTPSnoop and PipeSnoop we discovered had their\r\ncompile timestamps tampered with but masqueraded as XDR agent from version 7.8.0.64264. Cortex XDR v7.8\r\nwas released on Aug. 7, 2022, and decommissioned on April 24, 2023. Therefore, it is likely that the threat actors\r\noperated this cluster of implants during the aforementioned timeframe. For example, one of the\r\n“CyveraConsole.exe” implants was compiled on Nov. 16, 2022, falling approximately in the middle of this time\r\nwindow of the life of Cortex XDR v7.8.\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 2 of 11\n\nVersion information of HTTPSnoop sample with fake Cortex XDR information.\r\nA primer on HTTPSnoop\r\nHTTPSnoop is a simple, yet effective, new backdoor that uses low-level Windows APIs to interact directly with\r\nthe HTTP device on the system. It leverages this capability to bind to specific HTTP(S) URL patterns to the\r\nendpoint to listen for incoming requests. Any incoming requests for the specified URLs are picked up by the\r\nimplant, which then proceeds to decode the data accompanying the HTTP request. The decoded HTTP data is, in\r\nfact, shellcode that is then executed on the infected endpoint.\r\nHTTPSnoop consists of the same code across all observed variants, with the key difference in samples being the\r\nURL patterns that it listens for. So far, we have discovered three variations in the configuration:\r\nGeneric HTTP URL-based: Listens for generic HTTP URLs specified by the implant.\r\nEWS-related URLs listener: Listen for URLs that mimic Microsoft’s Exchange Web Services (EWS) API.\r\nOfficeCore’s Location Based Services (LBS)-related URL listener: Listens for URLs that mimic\r\nOfficeCore’s LBS/OfficeTrack and telephony applications.\r\nHTTPSnoop variants\r\nThe DLL-based variants of HTTPSnoop usually rely on DLL hijacking in benign applications and services to get\r\nactivated on the infected system. The attackers initially crafted the first variant of the implant on April 17, 2023,\r\nso that it could bind to specific HTTP URLs on the endpoint to listen for incoming shellcode payloads that are\r\nthen executed on the infected endpoint. These HTTP URLs resemble those of Microsoft’s Exchange Web Services\r\n(EWS) API, a product that enables applications to access mailbox items.\r\nA second variant, generated on April 19, 2023, is nearly identical to the initial version of HTTPSnoop from April\r\n17. The only difference is that this second variant is configured to listen to a different set of HTTP URLs on Ports\r\n80 and 443 exclusively, indicating that the attackers may have intended to focus on a separate non-EWS internet-exposed web server.\r\nThe attackers then built a third variant that consisted of a killswitch URL and one other URL that the implant\r\nlistens to. This implant was crafted on April 29, 2023. This version of the implant was likely an effort to minimize\r\nthe number of URLs that the implant listens to, to reduce the likelihood of detection.\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 3 of 11\n\nHTTPSnoop analysis\r\nThe DLL analyzed simply consists of two key components:\r\nEncoded Stage 2 shellcode.\r\nEncoded Stage 2 configuration.\r\nThe malicious DLL on activation will XOR decode the Stage 2 configuration and shellcode and run it.\r\nSingle byte XOR routine to decode Stage components.\r\nStage 2 analysis\r\nStage 2 is a single-byte XOR’ed backdoor shellcode that uses the accompanying configuration data to listen for\r\nincoming shellcode to execute on the infected endpoint. As part of Stage 2, the sample proceeds to make\r\nnumerous calls to kernel devices in order to set up a web server endpoint for its backdoor. The implant opens a\r\nhandle to “\\Device\\Http\\Communication” and calls the HTTP driver API “http.sys!UlCreateServerSession” with\r\nIOCTL code 0x1280000to initialize the connection to the HTTP server. The sample continues by creating a new\r\nURL group using http.sys!UlCreateUrlGroup with IOCTL code 0x128010 opens a request queue device\r\n“\\Device\\Http\\ReqQueue” and sets the new URL group for the session using http.sys!UlSetUrlGroupwith IOCTL\r\ncode 0x12801d.\r\nUsing the decrypted configuration the sample begins to feed the URLs to the HTTP server via\r\nhttp.sys!UlAddUrlToUrlGroup with IOCTL code l 0x128020. This binds the specified URL patterns to a\r\nlistenable endpoint for the malware to communicate. The implant takes care to not overwrite already existing URL\r\npatterns being serviced by the HTTP server, to coexist with previous configurations on the server, such as EWS\r\nand prevent URL listener collisions.\r\nWith the URLs bound to listen on the kernel’s web server, the malware proceeds to listen in a loop for incoming\r\nHTTP requests, carried out via http.sys!UlReceiveHttpRequest. If the headers from the HTTP request contain a\r\nconfigured keyword, in this particular sample’s case, “api_delete”, the listening loop for the infection will\r\nterminate. Once a request comes in, it creates a new thread and calls http.sys!UlReceiveEntityBody with IOCTL\r\ncodes 0x12403b, or 0x12403a when running Windows Server 2022 version 21H2, to receive the full message\r\nbody from the implant operator. If the request has valid data, the sample proceeds to process the request or else\r\nreturns an HTTP 302 Found redirect response to the requester.\r\nValid data comes in the form of a base64-encoded request body. Upon decoding, it proceeds to use the first byte of\r\ndata to single-byte XOR-decode the rest of the data. Once decrypted, a simple data structure is unveiled. The\r\npayload received from the operator is an arbitrary shellcode payload. The execution metadata consists of an\r\nuninitialized pointer and size, plus the size of the metadata structure, which is a constant 0x18. These uninitialized\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 4 of 11\n\npointers are initialized by the execution of the shellcode, used to pass back data to the implant to eventually send\r\nback to the operator as a response to the HTTP request.\r\nPayload structure from C2.\r\nThe ultimate result of the execution of the arbitrary shellcode is returned to the requester (operator) in the form of\r\na base64-encoded XOR-encoded blob. The first byte of the response is a random letter from the ASCII table,\r\nwhich is used to XOR the rest of the response. With this, the malware sends back a 200 OK response with the\r\nencoded execution result in its body via http.sys!UlSendHttpResponsewith IOCTL code 0x12403f.\r\nIntroducing PipeSnoop\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 5 of 11\n\nThe PipeSnoop implant, created in May 2023, is a simple implant that can run arbitrary shellcode payloads on the\r\ninfected endpoint by reading from an IPC pipe. Although semantically similar, the PipeSnoop implant should not\r\nbe considered an upgrade of HTTPSnoop. Both implants are likely designed to work under different\r\nenvironments. The HTTP URLs used by HTTPSnoop along with the binding to the built-in Windows web server\r\nindicate that it was likely designed to work on internet-exposed web and EWS servers. PipeSnoop, however, as\r\nthe name may imply, reads and writes to and from a Windows IPC pipe for its input/output (I/O) capabilities This\r\nsuggests the implant is likely designed to function further within a compromised enterprise--instead of public-facing servers like HTTPSnoop — and probably is intended for use against endpoints the malware operators deem\r\nmore valuable or high-priority. PipeSnoop is likely used in conjunction with another component that is capable of\r\nfeeding it the required shellcode. (This second component is currently unknown.)\r\nPipeSnoop analysis\r\nPipeSnoop is a simple backdoor that, much like HTTPSnoop, aims to act as a backdoor executing arbitrary\r\nshellcode on the infected endpoint. In contrast to HTTPSnoop however, PipeSnoop does not rely on initiating and\r\nlistening for incoming connections via an HTTP server. As indicated by the name, PipeSnoop will simply attempt\r\nto connect to a pre-existing named pipe on the system. Named pipes are a common means of Inter-Process\r\nCommunication (IPC) on the Windows operating system. The key requirement here is that the named pipe that\r\nPipeSnoop connects to should have been already created/established - PipeSnoop does not attempt to create the\r\npipe, it simply tries to connect to it. This capability indicates that PipeSnoop cannot function as a standalone\r\nimplant (unlike HTTPSnoop) on the endpoint. It needs a second component, that acts as a server that will obtain\r\narbitrary shellcode via some methods and will then feed the shellcode to PipeSnoop via the named pipe.\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 6 of 11\n\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 7 of 11\n\nImplant connecting to a named pipe to obtain arbitrary shellcode.\r\nMasquerading as benign traffic on the wire\r\nWe’ve observed HTTPSnoop listening for URL patterns that make it look like the infected system being contacted\r\nis a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and\r\n“autodiscover” keywords over Ports 443 and 444:\r\nSome of the HTTPSnoop implants use HTTP URLs that masquerade as those belonging to OfficeTrack, an\r\napplication developed by software company OfficeCore that helps users manage different administrative tasks. In\r\nseveral instances, we see URLs ending in “lbs” and “LbsAdmin,” references to the application’s earlier name\r\n(OfficeCore’s LBS System) before it was later rebranded as OfficeTrack. OfficeTrack is currently marketed as a\r\nworkforce management solution geared toward providing coverage for logistics, order orchestration and\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 8 of 11\n\nequipment control. OfficeTrack is especially marketed towards telecommunication firms. Some of the LBS URLs\r\nused by HTTPSnoop are:\r\nThe HTTP URLs also consist of patterns mimicking provisioning services from an Israeli telecommunications\r\ncompany. This telco may have used OfficeTrack in the past and/or currently uses this application, based on open-source findings.\r\nSome of the URLs in the HTTPSnoop implant are also related to those of systems from the telecommunications\r\nfirm:\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 9 of 11\n\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nNote: We have shared our findings with both Microsoft and Palo Alto Networks for this threat and intrusion set.\r\nClamAV detections are available for this threat:\r\nWin.Trojan.WCFBackdoor\r\nIndicators of Compromise (IOCs)\r\nIndicators of Compromise associated with this threat can be found here.\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 10 of 11\n\nSource: https://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nhttps://blog.talosintelligence.com/introducing-shrouded-snooper/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/introducing-shrouded-snooper/" ], "report_names": [ "introducing-shrouded-snooper" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "9d63303c-817c-40d7-b703-c6d62f0dbddc", "created_at": "2023-10-14T02:03:14.471787Z", "updated_at": "2026-04-10T02:00:04.891855Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "ETDA:ShroudedSnooper", "tools": [ "HTTPSnoop", "PipeSnoop", "TOFULOAD", "TOFUPIPE" ], "source_id": "ETDA", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1ddad928-ad5f-4885-9abd-e8965dd793df", "created_at": "2023-11-08T02:00:07.129402Z", "updated_at": "2026-04-10T02:00:03.421623Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "MISPGALAXY:ShroudedSnooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2", "created_at": "2022-10-25T15:50:23.658256Z", "updated_at": "2026-04-10T02:00:05.38013Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Volatile Cedar", "Lebanese Cedar" ], "source_name": "MITRE:Volatile Cedar", "tools": [ "Caterpillar WebShell" ], "source_id": "MITRE", "reports": null }, { "id": "17b152bc-6f7e-463c-8b4c-a4844caea6df", "created_at": "2023-01-06T13:46:38.498795Z", "updated_at": "2026-04-10T02:00:03.000373Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Lebanese Cedar", "DeftTorero" ], "source_name": "MISPGALAXY:Volatile Cedar", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434308, "ts_updated_at": 1775792132, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c99f2f7f66f4ef1cb00a86dd05c37e24a119d35f.pdf", "text": "https://archive.orkl.eu/c99f2f7f66f4ef1cb00a86dd05c37e24a119d35f.txt", "img": "https://archive.orkl.eu/c99f2f7f66f4ef1cb00a86dd05c37e24a119d35f.jpg" } }