{
	"id": "0fd31739-3a45-4cb3-bcc4-6a611e9766d3",
	"created_at": "2026-04-06T00:06:46.148439Z",
	"updated_at": "2026-04-10T03:35:48.555707Z",
	"deleted_at": null,
	"sha1_hash": "d4eeb21e1531c151f318541d048c1b980fa857a8",
	"title": "Log4Shell attacks expand to nation-state groups from China, Iran, North Korea, and Turkey",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 158776,
	"plain_text": "Log4Shell attacks expand to nation-state groups from China, Iran,\r\nNorth Korea, and Turkey\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-18 · Archived: 2026-04-05 17:24:11 UTC\r\nNation-state groups from China, Iran, North Korea, and Turkey are now abusing the Log4Shell (CVE-2021-\r\n44228) vulnerability to gain access to targeted networks, Microsoft said on Tuesday.\r\n\"This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild\r\npayload deployment, and exploitation against targets to achieve the actor's objectives,\" the company said in an\r\nupdate on its Log4Shell guidance blog post.\r\nKnown threat actors linked to Log4Shell attacks include Phosphorus (Iran) and Hafnium (China). Microsoft did\r\nnot name the threat actors operating out of North Korea and Turkey.\r\n\"For example, MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware,\r\nacquiring and making modifications of the Log4j exploit,\" Microsoft said yesterday.\r\n\"In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability\r\nto attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated\r\nsystems were observed using a DNS service typically associated with testing activity to fingerprint systems,\" the\r\ncompany added.\r\nIn addition, Microsoft said it has also observed multiple threat actors who serve as initial access brokers for\r\nransomware gangs using the Log4Shell exploit to gain a foothold on corporate networks.\r\nThese groups typically sell access to these hacked networks to ransomware gangs, and Microsoft worries that\r\nLog4Shell may contribute to a spike in ransomware attacks over the coming months.\r\nhttps://therecord.media/log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey/\r\nPage 1 of 3\n\nThe company's fears aren't an isolated sentiment, having also been echoed by many security experts over the past\r\nfew days since the Log4Shell vulnerability came to light.\r\nA first ransomware operation leveraging the Log4Shell exploit was spotted on Sunday.\r\nNamed Khonsari (\"bloodshed\" in Persian), the ransomware was categorized as a low-effort skidware that tried to\r\nframe a person of Iranian descent living in Louisiana as the attacker, providing no way for victims to recover\r\nencrypted files.\r\nThis attack was one of the several malware operations that have targeted the Log4Shell exploit and used it to\r\nspread to vulnerable systems. Over 60 variations of the Log4Shell exploit have been observed in the wild so far,\r\nand attacks have been linked to DDoS botnets, crypto-mining operations, and commodity malware\r\nlike StealthLoader.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey/\r\nhttps://therecord.media/log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey/"
	],
	"report_names": [
		"log4shell-attacks-expand-to-nation-state-groups-from-china-iran-north-korea-and-turkey"
	],
	"threat_actors": [
		{
			"id": "d8af157e-741b-4933-bb4a-b78490951d97",
			"created_at": "2023-01-06T13:46:38.748929Z",
			"updated_at": "2026-04-10T02:00:03.087356Z",
			"deleted_at": null,
			"main_name": "APT35",
			"aliases": [
				"COBALT MIRAGE",
				"Agent Serpens",
				"Newscaster Team",
				"Magic Hound",
				"G0059",
				"Phosphorus",
				"Mint Sandstorm",
				"TunnelVision"
			],
			"source_name": "MISPGALAXY:APT35",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7",
			"created_at": "2025-08-07T02:03:24.764883Z",
			"updated_at": "2026-04-10T02:00:03.611225Z",
			"deleted_at": null,
			"main_name": "COBALT MIRAGE",
			"aliases": [
				"DEV-0270 ",
				"Nemesis Kitten ",
				"PHOSPHORUS ",
				"TunnelVision ",
				"UNC2448 "
			],
			"source_name": "Secureworks:COBALT MIRAGE",
			"tools": [
				"BitLocker",
				"Custom powershell scripts",
				"DiskCryptor",
				"Drokbk",
				"FRPC",
				"Fast Reverse Proxy (FRP)",
				"Impacket wmiexec",
				"Ngrok",
				"Plink",
				"PowerLessCLR",
				"TunnelFish"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434006,
	"ts_updated_at": 1775792148,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4eeb21e1531c151f318541d048c1b980fa857a8.pdf",
		"text": "https://archive.orkl.eu/d4eeb21e1531c151f318541d048c1b980fa857a8.txt",
		"img": "https://archive.orkl.eu/d4eeb21e1531c151f318541d048c1b980fa857a8.jpg"
	}
}