{ "id": "b2311276-8c30-42ab-8375-9028a367d459", "created_at": "2026-04-06T00:18:31.728536Z", "updated_at": "2026-04-10T03:32:21.093235Z", "deleted_at": null, "sha1_hash": "cdf6d170e3fc3eba11b1d5c976e3c5cd50f870ce", "title": "KEYPLUG (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57452, "plain_text": "KEYPLUG (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 20:23:00 UTC\r\nKEYPLUG\r\naka: ELFSHELF\r\nActor(s): APT41\r\nThere is no description at this point.\r\nReferences\r\n2025-01-23 ⋅ Hunt.io ⋅\r\nMapping Suspected KEYPLUG Infrastructure: TLS Certificates, GhostWolf, and RedGolf/APT41 Activity\r\nKEYPLUG\r\n2024-09-24 ⋅ Virus Bulletin ⋅ Aragorn Tseng, Chi-Yu You, Cristiana Brafman Kittner, Steve Su\r\nDown the GRAYRABBIT HOle - Exposing UNC3569 and its Modus Operandi\r\nKEYPLUG Cobalt Strike CROSSWALK GRAYRABBIT HelloBot HUI Loader PlugX SiestaGraph\r\n2024-05-21 ⋅ Yoroi ⋅ Carmelo Ragusa, Luigi Martire\r\nUncovering an undetected KeyPlug implant attacking industries in Italy\r\nKEYPLUG\r\n2023-12-11 ⋅ Sentinel LABS ⋅ Aleksandar Milenkoski, Bendik Hagen\r\nSandman APT | China-Based Adversaries Embrace Lua\r\nKEYPLUG LuaDream\r\n2023-03-30 ⋅ Recorded Future ⋅ Insikt Group\r\nWith KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets\r\nKEYPLUG Cobalt Strike PlugX RedGolf\r\n2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh\r\nThe Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT\r\n(slides)\r\nKEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug\r\nPage 1 of 2\n\n2022-03-28 ⋅ Mandiant ⋅ Brandon Wilbur, Dallin Warne, Geoff Ackerman, James Maclachlan, John Wolfram, Tufail Ahmed\r\nForged in Fire: A Survey of MobileIron Log4Shell Exploitation\r\nKEYPLUG\r\n2022-03-08 ⋅ Mandiant ⋅ Douglas Bienstock, Geoff Ackerman, John Wolfram, Rufus Brown, Van Ta\r\nDoes This Look Infected? A Summary of APT41 Targeting U.S. State Governments\r\nKEYPLUG Cobalt Strike LOWKEY\r\n2022-03-08 ⋅ Twitter (@CyberJack42) ⋅ CyberJack\r\nTweet on ELFSHELF alias for KEYPLUG\r\nKEYPLUG\r\n2022-02-26 ⋅ Mandiant ⋅ Mandiant\r\nTRENDING EVIL Q1 2022\r\nKEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug" ], "report_names": [ "elf.keyplug" ], "threat_actors": [ { "id": "7936e2f8-5179-414a-8b57-530c28062f26", "created_at": "2023-04-27T02:04:45.231554Z", "updated_at": "2026-04-10T02:00:04.87247Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "ETDA:RedGolf", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "ELFSHELF", "KEYPLUG", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f799b96d-bc59-4b35-ae5c-dfe87e5b735b", "created_at": "2023-04-26T02:02:01.286476Z", "updated_at": "2026-04-10T02:00:03.363506Z", "deleted_at": null, "main_name": "RedGolf", "aliases": [], "source_name": "MISPGALAXY:RedGolf", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03e8b0b5-c7fb-424a-a67b-f40c3ba3f51c", "created_at": "2023-10-14T02:03:14.454929Z", "updated_at": "2026-04-10T02:00:04.882917Z", "deleted_at": null, "main_name": "Sandman", "aliases": [], "source_name": "ETDA:Sandman", "tools": [ "DreamLand", "LuaDream" ], "source_id": "ETDA", "reports": null }, { "id": "d027fba8-ffe7-4093-aa0d-833b52ce4427", "created_at": "2023-01-06T13:46:39.438394Z", "updated_at": "2026-04-10T02:00:03.326914Z", "deleted_at": null, "main_name": "TianWu", "aliases": [], "source_name": "MISPGALAXY:TianWu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6fde2d10-cf90-4eae-a249-838a36f76075", "created_at": "2023-12-19T02:00:06.26466Z", "updated_at": "2026-04-10T02:00:03.498264Z", "deleted_at": null, "main_name": "Sandman APT", "aliases": [], "source_name": "MISPGALAXY:Sandman APT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d24c2548-d163-4a73-865f-0d4cb917fee7", "created_at": "2024-04-20T02:00:03.580316Z", "updated_at": "2026-04-10T02:00:03.628323Z", "deleted_at": null, "main_name": "UNC3569", "aliases": [], "source_name": "MISPGALAXY:UNC3569", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "6dbb9bfb-3d63-4f81-99bd-35d61304d82a", "created_at": "2023-01-06T13:46:39.441522Z", "updated_at": "2026-04-10T02:00:03.330836Z", "deleted_at": null, "main_name": "SLIME29", "aliases": [], "source_name": "MISPGALAXY:SLIME29", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434711, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cdf6d170e3fc3eba11b1d5c976e3c5cd50f870ce.pdf", "text": "https://archive.orkl.eu/cdf6d170e3fc3eba11b1d5c976e3c5cd50f870ce.txt", "img": "https://archive.orkl.eu/cdf6d170e3fc3eba11b1d5c976e3c5cd50f870ce.jpg" } }