{ "id": "d29decef-45f0-4096-8897-a4e9056e14ee", "created_at": "2026-04-06T00:12:48.472013Z", "updated_at": "2026-04-10T13:12:48.520007Z", "deleted_at": null, "sha1_hash": "d1478b463999e146e17f61b5af99e9aca1549390", "title": "China’s Covert Capabilities | Silk Spun From Hafnium", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3793877, "plain_text": "China’s Covert Capabilities | Silk Spun From Hafnium\r\nBy Dakota Cary\r\nPublished: 2025-07-30 · Archived: 2026-04-05 21:46:39 UTC\r\nExecutive Summary\r\nSentinelLABS identified 10+ patents for highly intrusive forensics and data collection technologies that\r\nwere registered by companies named in U.S. indictments as working on behalf of the Hafnium threat actor\r\ngroup.\r\nThese technologies offer strong, often previously unreported offensive capabilities, from acquisition of\r\nencrypted endpoint data, mobile forensics, to collecting traffic from network devices.\r\nOur research explores the relationships between indicted hackers, ownership of the firms they are\r\nassociated with, and the relationships those firms have with several government entities who conduct\r\noffensive cyber operations on behalf of China.\r\nOverview\r\nIn July 2025, the Department of Justice (DOJ) released an indictment of two hackers, Xu Zewei and Zhang Yu,\r\nworking on behalf of China’s Ministry of State Security (MSS) that sheds new light on the People’s Republic of\r\nChina’s (PRC) contracting ecosystem. The indictment outlined that Xu and Zhang worked for two firms\r\npreviously unattributed in the public domain to the Hafnium (aka Silk Typhoon) threat actor group. Hafnium has a\r\nlong history of attacks against defense contractors, policy think tanks, higher education, and infectious disease\r\nresearch institutions, with an exceptionally prolific 2021 campaign that exploited several 0-day vulnerabilities in\r\nMicrosoft Exchange Server (MES). Hafnium’s history of exploits and 0day use, combined with its targets and\r\nobserved campaigns make it one of China’s best APTs.\r\nThis research resulted in three key findings.\r\n1. We identified previously unobserved or unreported offensive tooling owned by Hafnium-associated\r\ncompanies named in U.S. indictments. The tooling raises questions about these firms’ on-going work in\r\nsupport of the MSS and how attribution is difficult. The company holds at least one patent on software\r\ndesigned to remotely recover files from Apple computers, which has not been documented as a capability\r\nused by Hafnium or any related threat actor groups.\r\n2. The DOJ indictment provides new insights into the tiers of relationships between hackers and their\r\ncustomers. This report raises important questions about the extent to which the MSS and its regional\r\noffices offer operational support to its contracted hackers.\r\n3. Our research delves into several companies tied to the indicted Hafnium-affiliated hackers and documents\r\ntheir relationships. Importantly, the report finds evidence of multiple companies registered by one of the\r\ndefendants, and dozens more by an associate.\r\nhttps://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/\r\nPage 1 of 8\n\nThis new insight into the Hafnium-affiliated firms’ capabilities highlights an important deficiency in the threat\r\nactor attribution space: threat actor tracking typically links campaigns and clusters of activity to a named actor.\r\nOur research demonstrates the strength in identifying not only the individuals behind attacks, but the companies\r\nthey work for, the capabilities those companies have, and how those capabilities fortify the initiatives of the state\r\nentities who contract with these firms.\r\nAn organization chart for people and businesses known to be associated with Hafnium\r\nHafnium’s Impact\r\nIt’s rare for a hacking team to behave so recklessly that it changes a country’s foreign policy and unify the E.U.,\r\nU.K., and U.S. into speaking with one voice, but Hafnium wouldn’t be famous if they hadn’t done that. And,\r\nactually, they didn’t do it.\r\nHafnium gained fame following the revelation of their stealthy access to U.S. Government emails through an\r\nMES vulnerability known as ProxyLogon, which came to light in March 2021. But the group is often wrongly\r\nblamed for what happened next. The name Hafnium became associated with the wider abuse of the ProxyLogon\r\nvulnerabilities that followed the original Hafnium activity as lesser tier threat groups flooded the zone with\r\nexploitation attempts to opportunistically deliver payloads ranging from espionage to ransomware.\r\nMicrosoft alerted its Microsoft Advanced Protection Program partners to some POC code on February 23. This\r\nprogram provides some select cybersecurity companies early access to powerful new exploits, so they can better\r\ndefend their customers. Five days later on February 28th, new Chinese state-affiliated and criminal hacking\r\ngroups began exploiting the vulnerability at an immense scale. It remains unclear how exactly the exploit\r\nproliferated ahead of the patch. The longer tail of the problem arises from the prevalence of webshells littered by\r\neach attacker’s use of ProxyLogon. These groups left shells on vulnerable servers allowing access to these servers\r\neven after the vulnerability itself was patched. The situation was so dire that the DOJ received its first court\r\nauthorization for the FBI to remove these shells en masse from compromised servers.\r\nhttps://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/\r\nPage 2 of 8\n\nThe rapid dissemination and exploitation of the vulnerability led the U.S., U.K., and E.U. to issue their first ever\r\njoint statement condemning PRC actions in cyberspace in July 2021. The statement roiled CCP policymakers who\r\nhad previously fended off such joint decrees by convincing one E.U. state to reject such declarations. Because the\r\nE.U. requires unanimous consent for foreign policy statements, the fallout from the wanton abuse of the\r\nvulnerability upended China’s foreign policy success.\r\nThe joint statement so perturbed CCP policymakers that the country launched an offensive public opinion\r\ncampaign against U.S. hacking operations that continues today. Before the July 2021 joint statement, the PRC did\r\nnot coordinate cyber threat intelligence publications with state propaganda outlets. Following the statement, a\r\npattern emerged of coordinated private-sector CTI reports, English-language propaganda pieces, and statements\r\nby the PRC Ministry of Foreign Affairs. SentinelOne published a report detailing this change in February 2024\r\nand the findings of that report are corroborated by a textbook on cybersecurity published by a committee of\r\nexperts in China. China now regularly releases propaganda pieces alongside cyber threat intelligence reports–the\r\nchange was completely prompted by the success the U.S. had in unifying the European Union behind a joint\r\nstatement, which was itself enabled by China’s behavior.\r\nHafnium’s False Start or The Less Capable Cluster?\r\nFollowing an intrusion into U.S. Treasury systems that came to light in late 2024, the Department sanctioned one\r\nof its alleged hackers, Yin Kecheng (尹可成). The Treasury sanctions announced in January 2025 were quickly\r\nfollowed by a March DOJ indictment of Yin and a business associate, Zhou Shuai (周帅). Two separate\r\nindictments were released for Yin in March. The first document is dated 2017 and only Yin is named as the\r\ndefendant. The second indictment is dated 2023 and lists both Yin and Zhou.\r\nZhou Shuai, aka Coldface, is a first-generation patriotic hacker from China with a storied history of corporate\r\nregistrations and work for the state. The March 2025 indictment of Zhou and Yin indicate that Zhou brokered the\r\nsale of Yin’s work through iSoon, a company whose internal chats and corporate records were leaked online in\r\nearly 2024. Leaked chats showed iSoon executives considering a merger and acquisition of Zhou’s Shanghai-based company. iSoon executives also chastised Zhou for being a mere broker.\r\nThe DOJ press release for the indictments indicate that Yin’s and Zhou’s activities were tracked under various\r\nnaming conventions and clusters, including Silk Typhoon. Microsoft updated the group’s alias from Hafnium to\r\nSilk Typhoon in 2022.\r\nDOJ press release summary listing the Hafnium group’s aliases\r\nAs of March 2025, Hafnium apparently consisted of a Shanghai-based company, Shanghai Heiying Information\r\nTechnology Company (上海黑英信息技术有限公司), run by Zhou Shuai, which collaborated with Yin Kecheng\r\nin some fashion.\r\nHafnium and Other Elements\r\nhttps://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/\r\nPage 3 of 8\n\nFollowing the July 2025 released indictment of Xu Zewei and Zhang Yu, the number of people alleged to work for\r\nHafnium grew to four and the number of companies involved grew to three. The DOJ maintains that Xu Zewei\r\nand Zhang Yu worked at the “direction” of Shanghai State Security Bureau (SSSB). Xu Zewei completed his\r\ntasking while working at Shanghai Powerock Network Company (上海势岩网络科技发展有限公司); Zhang Yu\r\nworked at Shanghai Firetech Information Science and Technology Company (上海势炎信息科技有限公司).\r\nThis “directed” nature of the relationship between the SSSB and these two companies contours the tiered system\r\nof offensive hacking outfits in China.\r\nOther capable analysts adeptly delve into Shanghai Powerock, so this report focuses on Zhang Yu’s company,\r\nShanghai Firetech. Far from being an offensive shop procuring initial access and intelligence in the hopes of\r\nfinding a willing buyer, as in the case of i-Soon, Shanghai Firetech worked on specific tasking handed down from\r\nMSS officers. The indictment maintains that Zhang Yu “supervised hacking activity, including that of other\r\nFiretech personnel in support of such [SSSB] taskings, and coordinated hacking activities with fellow hacker\r\nXU.” This indicates that Shanghai Firetech and co-conspirators earned an on-going, trusting relationship with the\r\nMSS’s premier regional office, the SSSB.\r\nChina experts and law enforcement distinguish between China’s operational structures. At the lowest tier of the\r\ncontracting ecosystem are bottom feeders, like i-Soon. That company’s leaked files and U.S. indictment of their\r\nemployees show a firm stuck in low-paying contracts with poor morale, and often subcontracting to bigger, better\r\nfirms. A step up from i-Soon might be its prime contractor and competitor, Chengdu404, whose founders were\r\nalso indicted. Chengdu 404 has stable business, works from multiple offices, and at one point was China’s most\r\nprolific APT. The tier of contractors the Chinese government holds closest are actors like Xu Zewei and Zhang Yu.\r\nBut the MSS has not completely abandoned state-run operations. Past DOJ indictments show that other MSS\r\noffices do indeed use front companies. The Hubei State Security Department established Wuhan Xiao Rui Zhi\r\n(Wuhan XRZ) in 2010 as a front company for state operations.\r\nYou’re My Favorite Deputy\r\nThe peculiarities of Hafnium’s MES exploitation campaign raise questions about the relationship between the\r\nSSSB and its contractors. Hafnium began exploiting MES vulnerabilities beginning in January 2021. The exact\r\ndate Hafnium’s campaign began is unclear, but the month is itself enough to raise eyebrows. On January 5, 2021,\r\nOrangeTsai tweeted he had found an incredibly powerful pre-auth RCE vulnerability, later confirmed to be the\r\nsame MES vulnerabilities exploited by Hafnium. How did Hafnium come to exploit those vulnerabilities in the\r\nsame month that OrangeTsai found them?\r\nTheories swirled that Hafnium had compromised devices of employees working on inbound vulnerability reports\r\nat Microsoft. Other attention turned to the researcher’s personal security. As a resident of Taiwan, international\r\nconference attendee, and among the most talented vulnerability researchers with a public persona, it would not be\r\ninconceivable that Hafnium had itself hacked into OrangeTsai’s devices and stolen the vulnerabilities during his\r\nresearch phase.\r\nBut the Zhang and Xu’s close relationship with the SSSB raises the possibility that the Bureau collected\r\nOrangeTsai’s research themselves, either through an insider at Microsoft, a close-access operation against\r\nOrangeTsai, or some other collection method, and then passed the vulnerabilities to Xu and Zhang. A DOJ\r\nhttps://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/\r\nPage 4 of 8\n\nindictment shows the Guangdong State Security Department passing malware to its contracted hackers: had the\r\nSSSB done something similar?\r\nBefore Shanghai\r\nHow Zhang Yu and Shanghai Firetech came to work for the SSSB remains unclear. Before moving into offensive\r\nhacking, Zhang Yu co-founded a company Shanghai Weiling Information Science and Technology Co. (上海微令\r\n信息科技有限公司) whose smartphone application Campus Command (校园司令) aimed to connect college\r\nstudents with local events and information at Universities across China. But, as with all investigations, that is\r\nperhaps not the whole story. Zhang Yu co-founded Campus Command with the CEO and legal representative of\r\nShanghai Firetech, Yin Wenji (尹文基). The two associated were joined by a third person, Peng Yinan (彭一楠).\r\nCampus Command was, until 2016, a subsidiary of Xin Kai Pu (新开普), a company whose shares are publicly\r\ntraded on the stock exchange in Shenzhen. When Xin Kai Pu divested its shares, Peng, Yin, and Zhang moved\r\ntheir holdings into a privately held company offering business consulting services Shanghai Siling Commerce\r\nConsulting Center (上海司领商务咨询中心). Peng now holds shares in at least 25 companies registered in China.\r\nA 2015 talk by Yin Wenji, the eventual founder of Shanghai Firetech and co-founder of Campus Command, raises\r\nquestions about his offensive capabilities while working at the university-focused company with the indicted\r\nZhang Yu.\r\nYin spoke at the Central University of Finance and Economics program for cybersecurity. His 2015 talk advertised\r\nhis ability to recover files from Apple Filevault five years before his new company would file for patent protection\r\non a tool capable of collecting files from Apple computers.\r\nDescription of Yin Wenji’s 2015 talk at the Central University of Finance and Economics\r\nThe talk description translates to:\r\nhttps://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/\r\nPage 5 of 8\n\n“In this speech, the author will sort out some methods and directions of forensics on Apple electronic products,\r\nand propose new ideas for some technical difficulties such as Mac computer firmware passwords and FileVault\r\nfull disk encryption technology, and will demonstrate the latest research results.”\r\nSilk Bandolier\r\nThere is good reason to believe only some of Shanghai Firetech’s activities have been uncovered or made public\r\nby defenders. Hafnium rose to prominence in 2021 following the exploitation of four 0-day vulnerabilities in\r\nMicrosoft Exchange Servers. Subsequent publications demonstrate the group is responsible for cracking a host of\r\nfirewalls and network appliances. Intellectual property rights filings by Shanghai Firetech indicate an arsenal of\r\ntools not publicly attributed to Hafnium thus far. Shanghai Firetech filed for patents on a number of forensics\r\ntechnologies with clear applications as offensive capabilities including\r\n“remote automated evidence collection software”\r\n“Apple computer comprehensive evidence collection software”\r\n“router intelligent evidence collection software”\r\n“computer scene rapid evidence collection software”\r\n“defensive equipment reverse production software”\r\nWhile Hafnium’s observed capabilities check some of these generic boxes, no one has previously reported the\r\ngroup’s capabilities against Apple devices.\r\nShanghai Firetech technology patents\r\nMore recent patent filings from Shanghai Firetech, combined with the company’s history of working with the\r\nSSSB, suggests the company holds capabilities that may be useful in HUMINT operations. Capabilities like\r\n“intelligent home appliances analysis platform (2),” “long-range household computer network intelligentized\r\ncontrol software (6),” and “intelligent home appliances evidence collection software (23)” could support close\r\naccess operations against individuals. Other recent patents demonstrate that the firm still supports offensive cyber\r\noperations, such as “specially designed computer hard drive decryption software (13),”remote cellphone evidence\r\ncollection software (21),” or “network information security actual confrontation practice software (24).”\r\nhttps://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/\r\nPage 6 of 8\n\nMore recent Shanghai Firetech technology patent filings\r\nhttps://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/\r\nPage 7 of 8\n\nShanghai Firetech relationships with MSS offices beyond just the Shanghai Bureau may explain why some\r\npatented capabilities have not been observed to be associated with Hafnium tradecraft. While no public tenders or\r\ncontracts were found, Shanghai Firetech likely offers offensive services to additional customers beyond Shanghai.\r\nThe company maintains a subsidiary in Chongqing, Chongqing Firetech (重庆势炎信息科技有限公司).\r\nChongqing Firetech is likely larger than its Shanghai-based mothership. In the summer of 2018, Chongqing\r\nFiretech opened positions for up to 25 college interns, including for a third office in Nanchang. Shanghai Firetech,\r\nby contrast, only paid insurance benefits on 32 full-time employees. It is unclear whether the absence of\r\nChongqing Firetech from the indictment indicates that the company was not involved in activity attributed to the\r\nHafnium cluster.\r\nConclusion\r\nThe combination of leaked chat logs from iSoon, the March 2025 indictments of Yin Kecheng and Zhou Shuai,\r\nand the July 2025 indictment Xu Zewei and Zhang Yu indicate that the Hafnium cluster consisted of at least three\r\ndifferent companies. At least two of those persons, Xu Zewei and Zhang Yu, and their respective companies,\r\nShanghai Powerock Network Co Ltd. and Shanghai Firetech Information Science and Technology Co Ltd, worked\r\nunder the direction of the Shanghai SSB. Yin Kecheng likely worked alongside Xu and Zhang, though in what\r\ncapacity–as an employee, subcontractor, or jointly-tasked by the SSSB–is unclear. Although Zhou Shuai is\r\nobserved trying to sell Yin’s work through i-Soon, it is unknown what of Yin’s work, access, or tooling Zhou was\r\ntrying to push.\r\nThe variety of tools under the control of Shanghai Firetech exceed those attributed to Hafnium and Silk Typhoon\r\npublicly. The findings underline the difficulty in successfully attributing intrusions to the organizations responsible\r\nfor them. The capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium,\r\ndespite being owned by the same corporate structure. It is possible that none of the tooling uncovered by this\r\nreport was ever deployed in offensive operations. Tooling for the remote control of home appliances, home\r\ncomputer networks, decryption of files, and remote mobile forensics do have commercial defensive applications.\r\nThat said, we reasonably expect those tools to be advertised if sold for defensive purposes, and no such collateral\r\nexists.\r\nThreat actor designations and naming conventions track clusters of behavior, not the organizations carrying out\r\noperations. Successful attribution resolves a campaign back to their actual operators, like Hafnium or Fancy Bear.\r\nThis report finds there are very likely other campaigns and activities tracked under different names which can be\r\nattributed to Shanghai Firetech. The absence of their inclusion in the DOJ indictment of Zhang Yu and Xu Zewei\r\nmay reflect a balance of equities on the part of the FBI, releasing in the indictment only what is popularly\r\nrecognized as Hafnium and meets relevant legal thresholds while privately retaining intelligence of the company’s\r\nother campaigns and tooling.\r\nSource: https://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/\r\nhttps://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/chinas-covert-capabilities-silk-spun-from-hafnium/" ], "report_names": [ "chinas-covert-capabilities-silk-spun-from-hafnium" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434368, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d1478b463999e146e17f61b5af99e9aca1549390.pdf", "text": "https://archive.orkl.eu/d1478b463999e146e17f61b5af99e9aca1549390.txt", "img": "https://archive.orkl.eu/d1478b463999e146e17f61b5af99e9aca1549390.jpg" } }